Instagram has denied that its systems were breached after users reported receiving unexpected password reset emails. The messages, which appeared to be legitimate account recovery notifications, prompted concern that account information may have been compromised. Instagram said the activity was linked to a technical issue affecting its password reset process rather than unauthorised access to internal systems.
Users reported receiving password reset emails they did not request, in some cases multiple times within a short period. The notifications were sent through Instagram’s standard recovery workflow, which is designed to help account holders regain access if they forget their password. Instagram stated that the emails were triggered by an external party, but this did not mean that accounts had been compromised or that passwords had been exposed.
According to the company, the incident involved an issue that allowed password reset messages to be generated without a successful login or account compromise. Instagram said it addressed the problem and restored normal behaviour for the reset function. The company advised users to ignore reset emails they did not initiate and to avoid interacting with suspicious messages.
The reports emerged alongside claims that a large dataset connected to Instagram accounts was being advertised in cybercrime spaces. Such listings typically allege that personal information has been obtained and is available for sale or distribution. Meta, Instagram’s parent company, stated that it had not found evidence of a new breach linked to the reset email activity and confirmed that the two issues were not connected.
While Instagram said its internal systems were not breached, unexpected password reset emails can still create security risks for users. Cyber security specialists note that attackers may use automated requests to generate repeated reset notifications, either to harass users or to increase the likelihood that someone clicks a link in a message without verifying it. Repeated account recovery attempts can also confuse, particularly if users believe their account is under direct attack.
Security researchers have also warned that account recovery-related messages are frequently used in phishing attempts. Fraudulent emails may imitate legitimate reset notifications and direct users to fake login pages designed to capture credentials. Even when a reset email is genuine, users are advised to access their account through the official Instagram app or website rather than clicking links from unexpected messages.
Instagram has encouraged users to review account security settings as a precaution. Recommended steps include using a strong and unique password, enabling multi-factor authentication, and checking for unfamiliar login activity. Users are also advised to confirm that the email address and phone number associated with their account are correct, as these details are used for recovery and verification.
Meta has previously advised users to treat unsolicited security messages as a warning sign and to avoid sharing login details through third-party sites. The company has also recommended that users report suspicious emails and messages through platform tools where possible.
Instagram said the password reset issue has been resolved. The incident highlights how changes or weaknesses in account recovery systems can lead to widespread concern, particularly when they coincide with separate reports of leaked data circulating online.