Instagram has moved to quell a growing user panic, firmly denying that a significant security breach led to the data of over 17 million accounts being stolen. The controversy erupted after a vast number of users received unexpected password reset emails on Friday, January 10, 2026, sparking fears of a major hack.
Conflicting Claims Over a Potential Data Leak
The alarm was initially raised by the cybersecurity company Malwarebytes. The firm reported that sensitive information from an estimated 17.5 million Instagram accounts had been compromised by cybercriminals. According to their analysis, the leaked data bundle included usernames, physical addresses, phone numbers, and email addresses.
Malwarebytes issued a stark warning, stating that this trove of personal information was available for sale on the dark web and could be readily exploited by criminals for phishing attacks, identity theft, and other malicious activities.
Instagram's Official Response on Platform X
Contradicting these claims, Instagram's official communications team took to the social media platform X on Sunday morning to address the situation directly. The company stated it had resolved "an issue that let an external party request password reset emails for some people."
In a bid to reassure its global user base, the platform asserted, "There was no breach of our systems and your Instagram accounts are secure." The advice from Instagram was for users to simply ignore the password reset emails they had received, with an apology added for any confusion caused.
User Skepticism and Security Advice
However, the explanation did little to satisfy many concerned users, who flooded the comments with scepticism. One user questioned the logic, pondering, "No breach but an external party can trigger a password reset? Sounds like a breach." Others expressed frustration at the time spent personally securing their accounts in response to the incident.
In light of the ongoing concerns, Instagram reiterated its standard security guidance. The platform strongly recommends enabling two-factor authentication (2FA), which can be set up using a phone number, an authenticator app like Google Authenticator, or, in the coming weeks in some countries, via a linked WhatsApp number.
The company also advises all users to ensure the email addresses and phone numbers associated with their accounts are up to date. This measure is crucial for account recovery should a hacker ever change your login details.
