Do you have an Instagram account?
A recent increase in Instagram password reset emails which started earlier this month coincides with reports that data linked to more than 17 million Instagram accounts may have reappeared on underground dark web websites.
While the emails look genuine as though they are being sent from Instagram’s own systems — they are in fact a scam!
Attackers are exploiting legitimate password‑reset tools to try to take over accounts, hoping recipients will click links without checking whether they actually requested a password reset.
Meta, Instagram’s parent company, has confirmed that an external party was able to trigger these reset notifications. The company stresses that this was not the result of a system breach and says the issue has now been fixed. Users are being advised to ignore any reset emails they did not initiate, and Meta maintains that account security has not been compromised.
The attackers seem to be relying on older, previously leaked information — such as usernames or email addresses — to fuel this campaign. Even without a fresh breach, these tactics are still catching people off guard, especially when the messages appear authentic.
We recommend some simple steps to help you stay protected:
- Treat any password reset email you didn’t request as suspicious.
- Turn on two-factor authentication (2FA) using an authentication app.
- Use strong, unique passwords and avoid re-using the same passwords across different services.
- Don’t click on links in an email. Open the app or website directly to check whether an account needs attention.
This incident is a reminder that even legitimate‑looking messages can be misused by attackers.
A moment of caution can make all the difference in keeping personal accounts secure.
If you’ve received a password reset email or are unsure about any message, email, text or phone call, please don’t hesitate to get in touch us. We’re here to help keep you, your family and/or your business safe online.