Millions of Instagram users have been flooded with unexpected password reset emails, prompting renewed concern over the safety of account data and the long afterlife of past security failures. While Instagram insists its systems remain secure, cybersecurity researchers say a large cache of user information from an earlier incident is circulating again and fuelling fresh scams.

Antivirus firm Malwarebytes has warned that data linked to around 17.5 million Instagram accounts is once again being traded on hacking forums and the dark web. The information reportedly includes usernames, full names, email addresses, phone numbers and physical home addresses, making it especially valuable for cybercriminals looking to run targeted attacks. Malwarebytes traced the dataset back to a misconfigured Instagram API in 2024 that allowed attackers to quietly scrape profile details for months before the issue was addressed.

Although the original database later disappeared from underground markets, its reappearance in January 2026 highlights a harsh reality of data breaches. Once personal information is leaked, it can resurface long after a technical fix is applied. According to Malwarebytes, the latest activity has been linked to a hacker using the alias Solonik, with the data now being repackaged and resold as a so called doxxing kit.

The most visible effect for users has been a spike in legitimate password reset emails sent directly from Instagram’s own servers. Rather than relying on fake messages, attackers are allegedly abusing the platform’s reset process to generate real alerts from official instagram.com or meta.com addresses. This tactic can cause panic and confusion, creating an opening for follow up phishing attempts by text message or phone call that aim to steal login credentials.

Instagram has denied that a new breach has taken place. In a public statement shared on X, the company said it had fixed an issue that allowed an external party to trigger password reset emails for some users. It stressed that no internal systems were compromised and that accounts remain secure, advising users they can safely ignore the recent reset notifications.

Despite those assurances, security experts say the risks are real. Detailed personal data makes it far easier for scammers to impersonate Instagram support or craft convincing messages tailored to individual users. The threat is considered global, even though much of the early activity has been observed in Europe, and it is particularly serious for anyone who reuses passwords across multiple services such as email or online banking.

Cybersecurity professionals recommend taking immediate precautions. Users are urged to change their Instagram password to something unique, enable two factor authentication using an authenticator app rather than SMS, and review logged in devices through Meta’s Accounts Centre. The episode serves as a reminder that even when a platform resolves a vulnerability, the consequences of leaked data can persist for years and resurface without warning.