Users worldwide reported waves of fraudulent password reset messages designed to steal login credentials.
What happened
In January 2026, Instagram users across multiple regions reported receiving unexpected password reset emails that appeared to come from the platform. The messages closely resembled legitimate Instagram security alerts and directed recipients to links claiming to secure their accounts. Investigations confirmed the emails led to phishing pages that harvested usernames and passwords rather than initiating real resets. Mashable reported that the campaign escalated rapidly in the first half of January, with users flagging large volumes of identical emails arriving without any prior reset request.
Going deeper
The phishing emails mimicked Instagram branding, tone, and sender formatting to reduce suspicion. Victims who clicked the links were redirected to lookalike login pages designed to capture credentials. Once accounts were compromised, attackers often locked out legitimate users and reused the hijacked profiles to spread additional scams through messages and posts. Security researchers noted that mobile users were at higher risk because shortened address bars and smaller screens made fraudulent URLs harder to spot. Reports across social platforms suggested that attackers relied on broad email distribution rather than exploiting a flaw in Instagram’s systems.
What was said
Instagram said users can ignore the recent password reset emails and confirmed the messages were not tied to a system breach. In a post on X published in January 2026, the company said, “We fixed an issue that let an external party request password reset emails for some people. There was no breach of our systems, and your Instagram accounts are secure.” Instagram added that legitimate security alerts can be verified directly within the app.
The big picture
According to The Independent, the recent spike in Instagram password reset emails may be tied to a breach in which details from 17.5 million Instagram accounts were posted online, giving attackers the raw material needed to trigger convincing reset messages at scale. A separate analysis from WebProNews described the campaign as part of the ongoing “cat-and-mouse game” between attackers and defenders, noting that fake reset emails continue to change to look indistinguishable from legitimate security alerts.
Campaigns like these rely on trust in familiar brands and expected security workflows rather than malware, which makes traditional filters less effective. Email security platforms such as Paubox’s inbound email security are designed to reduce that exposure by blocking phishing attempts and impersonation emails before they ever reach inboxes, helping limit credential theft even when attackers lean on well-known services and realistic messaging.
FAQs
How can users tell if an Instagram reset email is fake?
Legitimate alerts can be confirmed inside the Instagram app under security settings. Unexpected emails with external links should be treated with caution.
Does Instagram ever ask users to reset passwords by email alone?
Password reset emails are only sent after a user initiates the request. Unprompted reset messages are a warning sign.
Why are these scams effective on mobile devices?
Smaller screens often hide full URLs, which makes it harder to spot subtle domain differences.
What should someone do if they clicked a phishing link?
They should change their password immediately, enable two-factor authentication, review login activity, and report the incident through Instagram’s support tools.
Are these attacks linked to a breach at Instagram?
There is no evidence of a breach within Instagram’s systems. The campaign relied on phishing techniques rather than platform vulnerabilities.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Farah Amod
