Social media platform Instagram has rejected claims that its platform suffered a data breach after large numbers of users reported receiving unexpected password reset emails. According to the company, the emails were triggered by a technical flaw that allowed a third party to initiate legitimate password reset requests. Instagram said the issue has since been fixed and stressed that its internal systems were not compromised, assuring users that their accounts remain safe.

Despite this reassurance, several cybersecurity experts have raised doubts. Malwarebytes, a well-known security firm, suggested the emails were linked to a hacking incident rather than a simple technical error. In a post shared on X, Malwarebytes alleged that hackers had obtained personal information from 17.5 million Instagram accounts. The firm claimed the exposed data included usernames, phone numbers, email addresses, physical locations, and other sensitive details. The post, which included an image of an Instagram password reset email, quickly gained traction, attracting more than 2.3 million views.

Malwarebytes later told the BBC that it believes the surge in password reset emails coincided with the sale of private user data on a criminal forum. On that forum, a seller claims to possess personal information belonging to millions of Instagram users, allegedly sourced from a “leak” dating back to 2024.

However, some independent security researchers dispute this account. They suggest the dataset may not be new, arguing it could be compiled from information that was publicly accessible on Instagram profiles as far back as 2022, such as names and locations. The combination of password reset emails and warnings from security firms has left many users confused and concerned. Instagram’s explanation has also drawn scrutiny, particularly its statement that an “external party” was able to request password resets without clarifying how this was possible.