Instagram users receive unexpected emails prompting a password reset

Find out what to do with an unsolicited ‘password reset’ email
Tali RamseySenior Writer

Tali writes about scams and consumer rights for Which? delving into fraud, technology and consumer rights topics to keep readers safe and empowered.

A large number of Instagram users have received emails telling them to reset their passwords, prompting confusion and concern. 

These emails are from Instagram and have been confirmed as genuine. But an unsolicited email like this should be treated with caution.

Read on to find out how you can check if an email is a scam and how to secure your account.

Outsmart the fraudsters

free newsletter

Sign up for our free Scam Alerts service.

Our Scam Alerts newsletter delivers scams-related content, along with other information about Which? Group products and services. We won't keep sending you the newsletter if you don't want it – unsubscribe whenever you want. Your data will be processed in accordance with our privacy notice.

Instagram password reset email

A password reset email from Instagram
A password reset email from Instagram

The email titled ‘Reset your password’ tells you that a request has been made to reset your Instagram password and includes a link to do this.

It states that if you ignore the email, your password won’t be changed and includes a link to follow if you didn’t request the password change.

Instagram has said that the emails were a result of an issue that allowed an external party to request password reset emails for some Instagram users. Instagram has denied that these emails are a result of a data breach. 

Which? previously reported on a similar series of emails from Microsoft, which told users they had requested a six-digit code in order to verify their identity to gain access to their accounts - an email prompted by a login attempt from a new device. 

Which? found that one user who received this email had several login attempts from all over the world, including the US, Turkey, Greece, Russia and Brazil, indicating that fraudsters had acquired the user’s data and were trying to access their account.

Join Tech Support

Which? Tech Support package

Get a year of super-useful advice

Solve your tech issues and get a year of our super-useful tech support for only £49 a year and get a £20 Richer Sounds voucher.

Join Which? Tech Support

Offer ends 2nd February 2026

How to secure your online accounts

Unexpected password reset emails can be alarming, as they can indicate that someone is attempting to get into your account. 

If you receive an email like this: 

  • Log in to your account using the platform’s official website or app and change your password to one that is unique and secure. 
  • You should also ensure your devices have good antivirus software installed. We know from our tough lab tests that third-party antivirus software is much better at identifying phishing attempts than the built-in protection given by your operating system.
  • You should also set up two-factor authentication.

Fraudsters buy and sell leaked details garnered from data breaches and hacks, so sometimes it’s difficult to say how a scammer came into possession of your personal information. But you can check to see if your email has been compromised by typing it into Have I been pwned. If you find you have been included in a data breach, you should change the passwords on those accounts and ensure your online accounts all have unique passwords. 

How to tell if an email is genuine

An email you weren't expecting that asks you to log in to an account, move money or share personal information should be treated with caution.

Follow our six steps to check if an email is genuine:

  1. Check the sender's email address to make sure it is from one of the brand’s official emails. Pay attention to the spelling of the email address and any unusual characters used in it.
  2. Read the email over and look for impersonal greetings such as ‘dear customer’, or any poor spelling and grammar. 
  3. Check for blurred or out-of-date branding.
  4. Avoid clicking on the links, but you can check to see where they lead by hovering over them using your mouse or long-pressing them on a phone or tablet. If it leads to a random website that isn't linked to the brand it claims to be from, then you should assume it is dodgy. 
  5. Think about what it's asking you to do? Are you being pressured or rushed into making a decision? Scammers rely on you acting fast. 
  6. If in any doubt, verify the information yourself independently. Contact the sender it claims to be from using details from its official website.

You can report scam emails by forwarding them to report@phishing.gov.uk.

If you lose any money to a scam, call your bank immediately using the number on the back of your bank card and report it to Report Fraud (formerly known as Action Fraud) or call the police on 101 if you’re in Scotland.

More on this