Instagram users worldwide are receiving unexpected password-reset emails that closely resemble official messages. A surge in reset notices may be linked to a BreachForums post claiming data on 17.5 million accounts. Instagram advises verifying sender addresses (emails come from @mail.instagram.com), enabling two-factor authentication, securing your email with a unique password, and visiting instagram.com/hacked if your account is compromised.
Urgent: Unexpected Instagram Password-Reset Emails — What To Check Now
Instagram password reset attacks — What you need to check right now
Instagram users around the world are reporting unexpected password-reset emails that closely mimic official messages from the platform. Recipients should be cautious and avoid clicking links in suspicious emails — attackers are relying on panic and haste to trick people into exposing account access.
What happened: Forbes contributor Davey Winder said he received a convincing-looking email claiming Instagram had received a request to reset his password. The message included a prominent blue Reset Password button and the text below.
If you ignore this message, your password will not be changed. If you didn't request a password reset, let us know.
How the campaign appears to work
Reports suggest a recent surge in password-reset notices followed a data dump posted on BreachForums that claimed to include information from 17.5 million Instagram accounts. Attackers may be using leaked account data to target users with convincing reset emails or to attempt account takeover once additional credentials are obtained.
Instagram users should ensure that two-factor authentication is enabled, especially amid reports of a surge of realistic-looking password reset emails (Getty Images)
What Instagram says
Instagram warns that receiving a password-reset email does not automatically mean your account has been breached — it can happen by mistake if someone mistyped an address. According to Instagram's Help Center, legitimate emails from the platform only come from addresses ending in @mail.instagram.com. Messages from other senders may be phishing attempts.
Practical steps to protect your account
- Do not click password-reset links in unexpected emails. Instead, open the Instagram app or visit instagram.com directly and check your account from there.
- Enable two-factor authentication (2FA) — Instagram requires a code when you sign in from an unrecognized device. The platform enables 2FA by default for creator accounts; all users should verify it's enabled.
- Use a unique, strong password for your email account — if attackers can access your email, they may reset other accounts tied to it.
- Check your login activity and connected devices in Instagram's settings and remove anything unfamiliar.
- Consider changing your Instagram password from within the app or the official website if you see suspicious activity.
If your account is compromised
If you cannot log in or think your account has been taken over, follow Instagram's recovery steps at instagram.com/hacked. Instagram also provides a recovery process for compromised accounts in its Help Center with step-by-step instructions on securing access and restoring control.
Bottom line: Unexpected password-reset messages are a red flag. Verify the sender, avoid clicking links in emails, enable 2FA, secure your email account with a unique password, and use Instagram's official recovery tools if you suspect a compromise.
Help us improve.
