Instagram Confirms Password-Reset Spam Flood, Denies Breach

Security Experts See Coincidental Timing After Leak of Scraped Instagram User Data Mathew J. Schwartz (euroinfosec) • January 12, 2026

Social media mainstay Instagram said hackers didn't breach its systems even amid a massive wave of password reset emails sent by its own systems to users traced to malicious activity.

See Also: Top 10 Technical Predictions for 2025

Users on Thursday and Friday reported receiving emails from security@mail.instagram.com, sometimes dozens a day, stating that "we got a request to reset your Instagram password." The emails stated that if the recipient didn't initiate the activity, "you can ignore this message."

Cybersecurity firm Malwarebytes tied the emails to criminals wielding stolen email addresses to abuse of Instagram's password-reset feature.

"Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses and more," Malwarebytes said in a Saturday ...