Instagram has moved to calm widespread concern after millions of users across the world reported receiving unexpected password reset emails, triggering fears of a large-scale data breach. The Meta-owned social media platform has clarified that the emails were caused by a technical issue and not the result of its systems being hacked, pushing back against claims made by a cybersecurity firm that user data had been exposed and put up for sale on the dark web.

The clarification came after several days of confusion and anxiety among Instagram users, many of whom said they received official-looking emails urging them to reset their passwords despite not having requested any such action. Screenshots of the emails began circulating on social media, with users questioning whether their accounts had been compromised and whether sensitive personal information was at risk.

Instagram’s official clarification

In a statement posted on X, Instagram acknowledged the incident and apologised for the confusion. The company said the password reset messages were generated due to a flaw that allowed an external party to trigger reset emails for certain accounts, without actually gaining access to Instagram’s internal systems.

“We fixed an issue that let an external party request password reset emails for some people,” the company said. “There was no breach of our systems and your Instagram accounts are secure. You can ignore those emails — sorry for any confusion.”

Instagram stressed that the issue did not involve unauthorised access to user accounts, passwords, or internal databases. According to the platform, no login credentials were exposed and no accounts were taken over as a result of the incident.

Why the emails caused alarm

Password reset emails are commonly associated with hacking attempts or account compromise, making them particularly sensitive for users. When such emails arrive without a user initiating a reset, they are often interpreted as a sign that someone else is trying to access the account.

In this case, the situation was further inflamed by the timing and scale of the emails. Users from multiple countries reported receiving the messages around the same period, leading to speculation that Instagram had suffered a global breach. Some users said they received repeated emails over several days or weeks, adding to their suspicion.

For many, the fear was compounded by recent high-profile data breaches affecting other major platforms, which have made users more alert—and more anxious—about the security of their online accounts.

Cybersecurity firm alleges large-scale data exposure

The concerns escalated significantly after cybersecurity firm Malwarebytes linked the password reset activity to what it described as a massive Instagram data exposure. In a public statement, Malwarebytes claimed that information connected to 17.5 million Instagram accounts worldwide had been leaked.

According to the firm, the allegedly exposed data included usernames, physical addresses, phone numbers, email addresses, and other personal details. Malwarebytes warned that such information could be exploited for phishing attacks, identity theft, targeted scams, or account takeovers.

“Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more,” the firm said. It added that the data was being advertised for sale on the dark web, where it could be misused by malicious actors.

These claims quickly gained traction online, with users urging each other to check whether their details had been leaked and to change passwords immediately. Some posts suggested that the password reset emails were a direct consequence of this alleged breach.

Instagram rejects breach claims

Instagram has firmly denied Malwarebytes’ assertions, stating that there was no compromise of its systems and no evidence of a mass data breach originating from the platform. The company maintains that the technical issue only allowed password reset emails to be triggered, not access to user data or accounts.

The platform has not confirmed whether the data described by Malwarebytes may have originated from older breaches, third-party services, scraped public information, or unrelated sources. It has, however, reiterated that the recent wave of password reset emails should not be interpreted as proof that Instagram’s databases were hacked.

This divergence between Instagram’s explanation and the cybersecurity firm’s claims has left users caught between two narratives, unsure whom to believe and how seriously to treat the risk.

Users share mixed experiences

As the debate unfolded, Instagram users took to social media to share their personal experiences. Some said they had been receiving password reset emails for weeks, while others reported isolated incidents that prompted them to take immediate action.

“I’ve been getting Meta emails about changing my password the last like two weeks,” one user wrote on X, suggesting the issue may have been ongoing rather than a single event.

Another user said, “I got the email that mine was accessed last night. Immediately changed my password,” reflecting the instinctive response many had when confronted with the messages.

A third user claimed to have received multiple reset emails and said they checked their information against lists allegedly linked to the breach. “Can confirm, got two password resets and checked to see my stuff on the data breach, change your passwords,” the user posted.

While these accounts highlight the level of anxiety among users, they do not independently confirm that Instagram accounts were actually accessed or compromised.

What users should do now

Despite Instagram’s assurance that accounts remain secure, cybersecurity experts generally advise users to take precautionary steps whenever unusual account-related emails appear. These include checking login activity, enabling two-factor authentication, and ensuring passwords are strong and unique.

Instagram itself has said users can safely ignore the unexpected reset emails if they did not request them. However, it has not discouraged users from changing passwords if doing so provides peace of mind.

Experts also warn users to be cautious of phishing emails that mimic legitimate password reset messages. Even if Instagram’s emails were genuine in this case, scammers often exploit such situations by sending fake messages designed to steal login credentials.

A broader trust challenge

The incident underscores a broader challenge faced by major tech platforms: maintaining user trust in an era of frequent cyber incidents and heightened awareness of digital privacy risks. Even technical glitches can spark panic when they resemble the warning signs of a breach.

For Instagram, the episode highlights how quickly misinformation and fear can spread, particularly when external reports suggest large-scale data exposure. For users, it serves as a reminder that online security is not only about actual breaches, but also about how platforms communicate during moments of uncertainty.

While Instagram insists there was no hack and no loss of user data, the mixed signals from cybersecurity reports and user experiences have left lingering questions. For now, the company says the issue has been fixed, the emails can be ignored, and user accounts remain secure—but the incident has already reinforced how sensitive and fragile digital trust can be in the modern internet ecosystem.