Woman holding iPhone with streaming photo and video Instagram on the screen

Has Instagram been hacked?

Over the past few days, Instagram users have reported receiving unexpected password reset emails. Sometimes several in a short space of time.

The messages appear genuine and are sent from official Instagram addresses, prompting understandable concern that accounts may have been compromised.

So what’s actually happened? And does this mean Instagram has been hacked? 

Why are Instagram users receiving password reset emails?

Meta, which owns Instagram, says the reset emails were caused by a technical weakness in the password reset process, not by hackers breaking into accounts. Meta says the issue has now been fixed and insists there was no breach of Instagram’s systems. If you did not click the link in the email, your account remains unchanged. 

That said, the emails were not likely to have been random. They are consistent with attempts to initiate account-takeover attacks. 

What were hackers trying to do?

These emails appear to be part of a common account-takeover technique.

  • Attackers start by triggering a password reset email to a real Instagram account. The goal is not to break Instagram’s systems, but to pressure the user into acting quickly.
  • Password reset emails are effective because they create urgency. When people see a genuine message saying “Reset your password”, many click first and think later. Especially if they believe their account is already under attack.
  • If the user panics, chooses a weak or reused password and does not have two-factor authentication enabled, the attacker may then be able to log in later using guessed or previously leaked credentials. 

In other words, the attack relies on human reaction, not technical hacking. 

Why did this suddenly start happening?

The timing is not a coincidence. Cybersecurity researchers report that a dataset linked to around 17.5 million Instagram accounts has recently been posted on a major hacking forum, BreachForums. 

The data reportedly includes: 

  • Instagram username
  • Email addresses
  • Phone numbers
  • User IDs and limited address information 

It does not appear to include passwords. 

Security firms, including Malwarebytes, say the data itself is likely not new. Instead, it is believed to have been scraped years ago. Once that data became freely available, attackers were able to use it to target accounts at scale. For example, by triggering password reset emails to see who might panic and click. 

So was Instagram breached or not?

This is the key distinction. 

  • Instagram says its systems were not breached
  • Passwords were not stolen
  • Accounts were not automatically compromised. 

However: 

  • Older Instagram user data appears to have resurfaced online
  • That data may have been used to support phishing, scams and account-testing activity. 

What should you do if you reset your password? 

If you clicked the link and reset your password, this does not mean your account has automatically been hacked. You have simply changed your password. In many cases, resetting the password actually makes the account safer, provided the new password is strong and unique. 

However, resetting your password can create risk if any of the following apply: 

  • You reused an old or weak password
  • You used a password you have used elsewhere
  • You used a predictable variation of an old password. 

When someone resets their password quickly under pressure, they may choose something familiar or easy to remember. That makes it more likely the password can be guessed or reused successfully. If your details were exposed in a previous data breach elsewhere online, attackers may already have copies of passwords you used in the past. If you reuse passwords, or choose a similar variation, they can try those combinations on Instagram. 

This is especially worrying if you don’t have two-factor authentication enabled, as without it, anyone who obtains your password can log in to your Instagram account. But, with 2FA enabled, they still need a second code, which usually stops the attack cold. 

You should act immediately if you notice:

  • Emails saying a new device has logged in
  • Your email address or phone number was changed
  • Posts, messages or follows you didn’t make 
  • You’re logged out and can’t get back in. 

In that situation, use Instagram’s account recovery tools straight away. 

What to do now if you clicked the link

If you reset your password and are worried: 

  • Log in directly via the Instagram app or website (not via email)
  • Change your password again — make it long, unique, and unused elsewhere
  • Turn on two-factor authentication
  • Check login activity and remove unknown devices
  • Review and remove any third-party apps you don’t recognise. 

All of this can be done via your Instagram security settings. 

The bottom line

Instagram hasn’t been “hacked” in the way many headlines suggest. But a combination of old data resurfacing and a password reset flaw has created a perfect storm, one that attackers are actively exploiting.

If you ignore unexpected reset emails and make sure two-factor authentication is enabled, the risk of account takeover remains low. 

This information is for general guidance only and does not constitute legal or financial advice.

You may also like:

  • Environment, News, Vehicle

Can BMW drivers claim compensation for the diesel emissions scandal?

BMW faces legal action over emissions-cheating software. Learn what the scandal involves, who is affected, and what it means for UK diesel car owners.
  • Data Breach, Financial, News

Capita data breach: Legal response & ongoing investigations

Capita’s data breach exposed pension holders’ personal data. Stay updated on the latest legal action, investigations, and regulatory responses.
  • News, Vehicle

Jaguar Land Rover DPF claims vs. dieselgate: What you need to know

Confused about Jaguar Land Rover DPF claims vs. Dieselgate? Learn the key differences, legal actions, and how to check if you qualify for compensation.

Latest news & insights

Tesco supermarket trolleys stacked in a line.
What claims should be on your radar in June 2026?
From the Tesco equal pay case to the latest Capita data breach claim update, here are the compensation claims and legal developments to watch in June 2026.
Could your landlord owe you compensation for failing to protect your deposit?
If your landlord failed to protect your tenancy deposit correctly, you could be entitled to compensation. Learn your rights and find out what to do next.
Warning for app fraud alert on smartphone
APP fraud explained — what it is and how to protect yourself
APP fraud cost UK victims over £450m in 2024. Find out how the reimbursement rules could help you claim your money back.
Beautiful Middle Eastern Manager Sitting at a Desk in Creative Office. Young Stylish Female with Curly Hair Using Laptop Computer in Marketing Agency. Colleagues Working in the Background
How to make a Subject Access Request
We cover everything you need to know about making a Subject Access Request, from identifying when a SAR is necessary to understanding your rights to a response.
University of Nottingham data breach claim
University of Nottingham cyber-attack: what students and graduates need to know
The University of Nottingham has confirmed a major cyber-attack affecting current and former students. Find out more…
Supermarket workers: You could have multiple equal pay claims
Worked at more than one supermarket? You could have multiple equal pay claims. Find out if you're eligible and how to take action today.
Next equal pay ruling: What it means for supermarket workers
Next store workers won their equal pay claim—could supermarkets be next? Find out how this ruling could impact retail employees and equal pay claims.
Icons of major social media applications are displayed on a smartphone screen with the United Kingdom flag in the background. Discussions are ongoing in the UK regarding strict age verification measures and a potential ban on social media usage for minors under 16.
UK set to ban under-16s from social media in landmark move
The UK government has announced plans to ban under-16s from social media. We explain what has been proposed.
Close-up of a person using a smartphone with the ChatGPT app open.
Are ChatGPT conversations appearing in Google search results? Here’s what we know.
Reports claim ChatGPT conversations are appearing in Google search results. We examine what's really happening.
Woman holding iPhone with logo of application Booking.com on the screen, using mobile application
Booking.com faces proposed £2 billion consumer claim over hotel prices
A proposed £2 billion claim alleges Booking.com's pricing practices inflated hotel costs for millions of UK travellers. Here's what we know so far.
Warning to supermarket store workers: If you want equal pay compensation, you’ll need to claim it!
Many UK supermarket workers are confused about equal pay claims. Learn why backpay isn’t automatic and what opt-in group actions really mean.
Close-up of the NHS - National Health Service logo on the exterior of St. Thomas Hospital in London, UK
What is the NHS Single Patient Record, and why is it being debated?
Plans for a NHS Single Patient Record moved a step closer last week. But there are important questions about privacy & data security.
Teenagers with smartphones on social media near white wall indoors
Social media is facing growing scrutiny. Here’s why.
Explore the growing debate around social media safety, online harms, platform accountability, child safety, addictive features and digital rights.
An expert hacker is decrypting data while hiding their face
Hackers are changing tactics – and it could mean more data breaches
Hackers are increasingly exploiting software vulnerabilities rather than stealing passwords. Here's what that could mean for UK consumers.
Managing the validity of digital document checklists
New data complaint rules are coming in June 2026
New data protection complaint rules take effect on 19 June 2026. Find out what organisations must do and what the changes mean for consumers.
View all news

Did you know we have a newsletter?

Sign up for our newsletter to stay up to date.

We connect consumers with their legal dream teams to ensure they get the compensation and support they deserve.

claims
About
Legal
Connect

Join the Claim is not a law firm. We connect individuals with top law firms for group action claims, and our service is free to use. While we may receive a fee from the law firms we introduce you to, this will not affect your costs or compensation. We are not responsible for the advice or services provided by these firms. Please note, nothing on this website is legal advice, and while we check claim eligibility, we cannot guarantee a law firm will accept a case.

Join the Claim is a trading name of Join the Claim Limited, authorised and regulated by the Financial Conduct Authority (FRN: 1053404). Registered in England and Wales, Company No: 16245278. Registered office: 32 Eyre Street, Sheffield, S1 4QZ.

© Join the Claim All Rights Reserved |

2026
Go to claims