(Credit: Nikolas Kokovlis/NurPhoto via Getty Images)
UPDATE 1/12: Instagram denies that the reset emails are related to a breach.
Original Story:
A data breach may have impacted up to 17.5 million Instagram accounts, revealing sensitive data including usernames, physical addresses, phone numbers, and email addresses.
This type of data can be used by hackers to gain access to users' accounts. Cybersecurity firm Malwarebytes, which first reported the breach, advised users to change their passwords in the wake of the breach or enable two-factor authentication (2FA). However, don't click on unsolicited password reset emails.
Some Instagram users appear to be receiving fake password reset emails—a common technique used in phishing scams. Meanwhile, several Reddit users have also posted screenshots of unprompted password reset requests in recent days.
If you received these emails, change your password directly via Settings and activity > Accounts Center > Password and security > Change password.
To enable two-factor authentication on Instagram, head to Accounts Center > Password and security, and select two-factor authentication. You'll need to add your chosen security method, such as an authenticator app (recommended) or SMS (less secure).
CyberInsider suggests that the stolen data stems from an Instagram API leak that occurred in 2024, since the data contained “entries with structured JSON fields typical of API responses,” though it didn’t rule out other causes. On Jan. 7, 2026, a user with the alias “Solonik” published what appears to be stolen data on a message board dedicated to sharing personal information collected from data breaches, offering it for free.