Instagram says no data breached, despite 17.5 million users account data leaked online
If you received an email over the weekend about a password reset request from Instagram, you’re not alone. In fact, many people got one and the email did look pretty legit: the email is a real Instagram email account, and there’s even a blue checkmark that screams real. However, it was highly likely sent by hackers following a leak of 17.5 million user accounts.
We fixed an issue that let an external party request password reset emails for some people. There was no breach of our systems and your Instagram accounts are secure.
— Instagram (@instagram) January 11, 2026
You can ignore those emails — sorry for any confusion.
While there was additional clarification from Meta, the cybersecurity company Malwarebytes warned its users that the data of 17.5 million Instagram accounts had been scraped and posted online.
Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more. pic.twitter.com/LXvjjQ5VXL
— Malwarebytes (@Malwarebytes) January 9, 2026
According to BleepingComputer, who found the data posted for free on several hacking forums, the user who posted it claimed it was collected via an Instagram API leak back in 2024. BleepingComputer added that they found details of 17,017,213 Instagram accounts, which includes usernames, emails, phone numbers and addresses. On the brightside, it does seem that this data doesn’t include passwords.
In any case, if you do receive another similar email in the future, there’s an easy way to check its legitimacy. Simply head to your Instagram app, go into settings and tap on Accounts Centre. There, scroll down to ‘Password and security’ and on the bottom you’ll see ‘Recent emails’. You can use then use this to check whether or not Instagram really did send you an email. Of course, it’s better to be safer by just turning on 2FA too.
Read more of our articles below!
