Instagram users reported a massive surge in unrequested password reset emails, a phenomenon cybersecurity experts are calling a “fire alarm” attack designed to trigger user panic. The wave of notifications coincided with the publication of a database containing sensitive information for 17.5 million Instagram accounts on the dark web forum BreachForums.
You May Like To Read: India Boosts Space Surveillance With New Spy Satellite Amid Launch Concerns
While Meta has officially denied a new breach of its systems, analysis suggests that attackers are “operationalizing” older, scraped data from 2022 to exploit a recently discovered vulnerability in Instagram’s password-reset mechanism.
The massive wave of password reset emails isn’t due to a new Instagram hack, but a tactical attack using old data scraped in 2024 that recently resurfaced
Attackers paired this data with a vulnerability in Instagram’s reset flow that allowed them to bypass standard rate limits… pic.twitter.com/p0lUM6smlB
— Guardio (@GuardioSecurity) January 12, 2026
The danger of this specific campaign lies in its legitimacy: the emails are genuine messages sent by Instagram’s own servers, not fake phishing clones. Attackers rely on “reset fatigue” or knee-jerk reactions, hoping users will click the link and inadvertently hand over account control or succumb to further social engineering. Instagram has since stated they “fixed an issue” that allowed external parties to trigger these emails en masse, but the leaked data, which includes usernames, emails, phone numbers, and user IDs, remains accessible to cybercriminals for future exploitation.
Check out our latest video:





























