Few things cause worry about an app than security updates you never asked for. This was the case after a wave of Instagram users were prompted to reset their passwords.

On January 8, 2026, reports started surfacing on social media and cybersecurity forums as users questioned whether their accounts had been compromised

That uncertainty deepened when, Antivirus company Malwarebytes claimed it had identified data linked to 17.5 million Instagram accounts circulating online. According to the company, the exposed information allegedly included usernames, phone numbers, email addresses, and even physical locations.

It further said the data appeared during a dark web scan tied to a possible Instagram API exposure dating back to 2024, and the "data is available for sale on the dark web and can be abused by cybercriminals."

Days later, things took a different turn when Instagram debunked this; in a post on X (formerly Twitter), the company said: "There was no breach of our systems, and your Instagram accounts are secure." They clarified why some people had received those password reset emails: "We fixed an issue that let an external party request password reset emails for some people." They further called on users who received those emails to "ignore" them.

The contrast between the two explanations left users in an uncomfortable middle ground. On one side, a security firm warning of exposed data for sale. On the other, Instagram insisting the issue never crossed into account compromise. Neither scenario is reassuring, especially for a platform woven so tightly into daily communication and business.

This tension isn’t unique to Instagram. Large social platforms have become frequent targets because of their scale and the sheer amount of personal data they hold. In 2025, Forbes reported that data linked to more than 200 million users on X was allegedly leaked, underscoring how even mature platforms continue to struggle with abuse, automation, and third-party exposure.

X’s AI, Grok, Will No Longer Harvest European Users’ Data
Confirmed by the Ireland’s Data Protection Commission (DPC), X will no longer make use of European users’ personal data to train its AI, Grok.
TechloyLouis Eriakha

This trend showcases how important it is to protect yourself from being a victim of a cyberattack. Here are some tips to safeguard yourself:

  • Avoid unexpected password reset emails. Don't click links in them.
  • Enable 2FA and use an authenticator app.
  • Check your account's security in the Instagram app.
  • Update your password if you're unsure, and use different passwords everywhere.
  • If you notice any suspicious activity on your account, report to Instagram's customer service immediately.

What this episode ultimately highlights is how fragile digital trust has become. Security today isn’t just about preventing breaches; it’s about how clearly companies communicate when something goes wrong. For users, staying safe increasingly means assuming uncertainty, and acting defensively even when platforms say everything is fine.

Instagram’s new Your Algorithm tool helps you correct what your Reels feed gets wrong
The feature gives users a clearer view of how Instagram defines their interests and lets them adjust the signals shaping their Reels recommendations.
TechloyEmmanuel Umahi