By The Southern Nerd
10 Jan. 2026
Over the past several months, you might have been getting emails from Instagram over password reset requests which you did not initiate. Now, thanks to Malwarebytes, we may finally know why.
In an email sent out to customers yesterday, Malwarebytes announced that it had discovered leaked information for 17.5 million Instagram accounts on the dark web. So far there has been no official announcement from Instagram. Malwarebytes says the information includes usernames, email addresses, physical addresses, phone numbers “and more.”
No word on whether or not this included passwords but it is still advisable to change passwords regularly, especially after a data breach. Either way, the information gathered can be used for phishing, identity theft attempts and scams.
So far there has not been an official word from Instagram, but Instagram users on Reddit have long reported unsolicited password reset emails. These emails do in fact come from the company (WARNING: If you get such an email, don’t just assume it’s legit from the company as hackers can still send very convincing fakes) and users were confused as to why they were getting them.
Some discussions have speculated that these emails come from the result of automated bot activity. The purpose of which, they claim, is to check and see whether or not there is an account associated with the email address. Although this tactic doesn’t give them access to the account, they can verify that there is an account if the website sends them to a screen which reads “We’ve sent a link to the email _____.”
Users report the same tactic being used with both their emails and their phone numbers.
Although there’s no word specifically on whether or not passwords have been leaked in this specific breach, security experts warn that the standard username and password combination is not enough. At the very least there needs to be two-factor authorization, with many websites requiring it. Most advise taking the extra measure of enabling two-factor authorization via an authenticator app and downloading backup codes.
Backup codes are essential, as they provide an emergency way of getting back into your account if you’re ever locked out.
The Southern Nerd 