We use cookies to improve your experience and analyse site traffic. By clicking "Accept", you consent to our use of cookies. Learn more.

Instagram password reset emails flood users as Meta says ‘no breach’

illions of Instagram users received unexpected password reset emails in a short period, after Meta said it fixed an issue that let an external party trigger reset requests for some accounts.

By /
instagram password reset emails january 2026 logo

Millions of Instagram users were hit by a sudden wave of password reset emails, sparking fears that accounts had been hacked or that a mass data breach was underway.

Meta says the email flood was caused by a technical issue that allowed an outside party to trigger password reset emails for some users, and that it has now been fixed.    

What Meta and Instagram said

Meta’s statement acknowledges the reset-email surge and points to abuse of the reset-request mechanism rather than a compromise of Instagram’s internal systems.

“We fixed an issue that allowed an external party to request password reset emails for some Instagram users,” a Meta spokesperson said.    

The spokesperson added:

“There was no breach of our systems and people’s Instagram accounts remain secure.”    

What likely happened technically

A password reset email can be triggered without logging into an account.

If a platform’s reset-request flow can be automated at scale (for example, through weak rate limits, missing friction like CAPTCHA, or gaps in abuse detection), attackers can generate a large volume of reset emails for targeted users.

This type of incident is typically closer to an abuse or “email bombing” event than an account takeover on its own:

  1. An attacker repeatedly submits reset requests using known usernames or email addresses.
  2. The platform sends legitimate reset emails to the account owner.
  3. The attacker hopes the user panics and clicks a link in a rush, or gets conditioned to ignore real security alerts later.

Security specialists also warned users to avoid clicking reset links from email and to go directly to Instagram settings instead.  

Was Instagram security breached

Based on Meta’s statement, the company is drawing a clear distinction between the email flood and a systems breach.

In practical terms:

  • The reset-email flood alone does not prove someone accessed your Instagram account.
  • A reset email does not mean your password changed (that requires the reset link or code).
  • The main risk is phishing or social engineering if scammers can get users to click links and hand over credentials.

At the same time, separate claims circulating online about a dataset involving Instagram user details are being discussed by cybersecurity researchers and outlets, but Meta has denied a breach of its systems in connection with the email flood.    

What users should do right now

  1. Do not click links in unexpected password reset emails. Open Instagram directly (app or typed URL) and check security settings.  
  2. Change your Instagram password only via the app or official recovery flow, and use a unique password.  
  3. Turn on two-factor authentication and review login activity for unfamiliar devices or locations.  
  4. If you reused the same password elsewhere, change it on those services too.

The key open questions are whether Meta provides a deeper technical explanation of the bug it fixed, and whether any verified evidence emerges that the email flood was connected to a confirmed leak of user data (as opposed to previously scraped or publicly compiled contact information).  

Read more