Instagram users in Indonesia are being targeted by a surge of unsolicited password reset requests, raising alarms about potential phishing attacks and data security breaches.Reports began surfacing around January 6, 2026, with users receiving legitimate-looking emails-some even from verified accounts-prompting concerns that a meaningful data leak may be underway. Cybersecurity experts are warning against clicking any links within these emails and recommend initiating password changes directly through the Instagram app, as the country has already seen a substantial increase in cyber anomalies and digital fraud attempts in recent months.
Instagram users in Indonesia are reporting a surge of unsolicited password reset notifications, raising concerns about potential data breaches and account security. The notifications, which began appearing around January 6, 2026, are arriving via email and appear legitimate, even originating from verified Instagram accounts.
The unusual volume of requests is alarming users who haven’t initiated any password changes. Several individuals have taken to social media to share screenshots of the emails, prompting others to come forward with similar experiences. The incident underscores the growing sophistication of phishing attacks targeting popular social media platforms.
Anggri, a 34-year-old Instagram user, said she received two such emails within five days, on January 6 and January 10. “I was shocked because I hadn’t requested a password reset,” she explained. “Then, a few days later, I received another one.” She shared a screenshot of the email on her Instagram Story, quickly receiving direct messages from at least seven friends reporting the same issue.
“I immediately got DMs that day. They said they were getting the same notifications,” Anggri added.
Despite the official appearance of the emails, Anggri refrained from clicking any links or changing her password, fearing a phishing attempt designed to steal her credentials. She noted that her Instagram password is also used for other social media accounts, increasing the potential damage from a successful breach.
“I’m afraid it’s a trap. If you click the link and enter your password, your data could be stolen,” she said.
Users Opt to Ignore Reset Password Emails
Table of Contents
Other Instagram users are taking a similar approach, choosing to ignore the suspicious emails altogether. Denis, another user, stated, “I’m just ignoring the requests in my email. Hopefully, it’s safe.”
Denis expressed skepticism about the unsolicited password reset requests, suspecting they are part of a digital scam targeting unsuspecting users. The incident highlights the importance of user awareness in combating increasingly sophisticated online threats.
Requests for comment from Meta, Instagram’s parent company, regarding the alleged data leak and mass password reset notifications, have not yet been answered.
Verified Badges Don’t Guarantee Authenticity
Responding to the reports, Ardi Sutedja, Chairman of the Indonesia Cyber Security Forum (ICSF), cautioned users against trusting emails claiming to be from Instagram, even if they originate from verified accounts. The increasing prevalence of sophisticated phishing techniques makes it difficult to discern legitimate communications from fraudulent ones.
“If you want to change your password, it’s best to do so directly through the Instagram app on your device,” Sutedja advised. “Don’t click on any links or attachments in emails or DMs. It’s now very difficult to verify whether an email is genuine or fake.”
He emphasized that a verified badge is no longer a foolproof indicator of authenticity. “Phishing techniques are becoming more sophisticated and are able to mimic official email appearances very convincingly,” he stated. “Going through the app directly is verified and updated to the latest version. But if you click a link in an email, we don’t know if it’s really from Instagram or not. A verified badge doesn’t guarantee anything.”
Experts Recommend Password Resets Through the App
Ariyanto A. Setyawan, Chairman of the Network and Infrastructure Division of the Indonesian Digital Empowerment Community (IDIEC), echoed this sentiment, stating that password reset requests via email should be treated with suspicion. The shift towards in-app password resets reflects a broader industry trend towards enhanced security measures.
“Best practice now is that if you need to reset your password, it’s usually forced directly from the app, not via email. If it’s via email, it’s more vulnerable to phishing,” he said.
According to Ariyanto, many major application developers have abandoned the email-based password reset method due to its susceptibility to abuse by cybercriminals.
Phishing Attacks on the Rise in Indonesia
Phishing is a digital fraud technique used to steal sensitive data such as usernames, passwords, phone numbers, and other personal information. Attackers typically impersonate trusted entities, such as banks, government agencies, or popular platforms like Instagram.
They send urgent messages, such as “Your account will be blocked, verify now,” accompanied by a link to a fake login page. Unwitting victims then enter their data into the fraudulent site. The increasing sophistication of these attacks requires constant vigilance from users.
In Indonesia, phishing cases have seen a significant increase. The National Cyber and Crypto Agency (BSSN) recorded 4.41 billion cyber anomalies in September 2025, with phishing ranking as the third most common type of attack after malware and illegal access. The number of phishing incidents has surged to 26 million.
The Ministry of Communication and Digital Affairs (Komdigi) reported 1.2 million digital fraud reports through mid-2025, with the majority being phishing and smishing attacks via SMS and email.
Potential Global Instagram Data Leak
Further fueling concerns, antivirus company Malwarebytes has reported a potential data leak affecting approximately 17.5 million Instagram accounts worldwide, including those in Indonesia. The leak reportedly includes usernames, email addresses, phone numbers, and physical addresses.
The data was discovered through routine Malwarebytes scans of the dark web, tracing back to an Instagram API leak in 2024. The compromised data is currently being sold openly and could be used for various cyberattacks, ranging from phishing to account takeovers. This situation is believed to be driving the recent surge in mass password reset requests.
According to Cybersecuritynews, a data seller on the dark web using the alias “Subkek” claims the data was obtained through scraping the Instagram public API and country-specific sources since late 2024. This combination of data is considered highly dangerous, as it facilitates identity theft, targeted phishing, and social engineering attacks by impersonating Instagram.
Stay Vigilant and Don’t Panic
In light of these developments, cybersecurity experts are urging Instagram users to remain calm but vigilant. If you receive a password reset email without requesting one, avoid clicking any links. Proactive security measures are essential in protecting personal data online.
The safest course of action is to open the Instagram app directly and check your account security settings. If a password change is necessary, initiate it through the official app. Staying informed and cautious is key to keeping your account and personal data secure.
Check technology news, gadget reviews and Gadgetdiva.id videos at
Google News.
Read automotive news for women at
Otodiva.id,
if you need in-depth gadget reviews visit
Gizmologi.id.
For those who like to travel, be sure to read
Traveldiva.id.
