Meta fixed an Instagram password reset flaw that let third parties send reset emails, while denying a data breach despite leak claims.
Meta confirmed fixing an Instagram password reset vulnerability that allowed third parties to trigger reset emails, while denying any breach despite claims of leaked user data.
“We fixed an issue that let an external party request password reset emails for some people. There was no breach of our systems and your Instagram accounts are secure.” the company wrote on X. “You can ignore those emails — sorry for any confusion.”
Recently, users reported receiving unsolicited Instagram password reset emails, though the company disclosed no technical details about the flaw. Since January 10, 2026, a million users have received password reset emails, sparking confusion and fears of a global cyberattack. Security experts warn this is a serious privacy breach with real-world risks, and affected data may already be circulating on the dark web.
I keep receiving those messages.
— Edgar Jiménez (@citizenedgar) January 11, 2026pic.twitter.com/fxK9Y6ZLE7
A Meta spokesman said there was no system breach and Instagram accounts remain secure, he invited users to ignore the password reset emails.
However, Malwarebytes researchers found a sensitive database for sale on a cybercrime forum, described as a “doxxing kit” affecting nearly 18 million Instagram users. Unlike past data scrapes, this leak includes physical home addresses linked to Instagram user IDs.
The stolen data likely didn’t come from Instagram profiles alone, attackers may have combined Instagram user IDs with data from external databases, such as marketing lists, data brokers, e-commerce platforms, or leaked customer records, to match usernames with real names and home addresses.
By linking online identities to physical addresses, the threat goes beyond spam or account takeovers. It enables stalking, swatting, extortion, and identity theft, turning a digital privacy breach into a potential real-world safety risk.
Have I Been Pwned (HIBP) warned that a hacker shared a dataset of over 17 million records, including 6.2 million emails and other user data, allegedly scraped via an Instagram API.
“In January 2026, data allegedly scraped via an Instagram API was posted to a popular hacking forum. The dataset contained 17M rows of public Instagram information, including usernames, display names, account IDs, and in some cases, geolocation data. Of these records, 6.2M included an associated email address, and some also contained a phone number.” reads the post published by HIBP. “The scraped data appears to be unrelated to password reset requests initiated on the platform, despite coinciding in timeframe. There is no evidence that passwords or other sensitive data were compromised.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, newsletter)
Source: SecurityAffairs
Source Link: https://securityaffairs.com/186829/security/meta-fixes-instagram-password-reset-flaw-denies-data-breach.html