I just checked, and Instagram’s password reset flow allows requesting a reset using an email address, a phone number, or even the username [1]. The username is public information, so triggering password reset emails is relatively easy. At scale you would need IP rotation and some basic automation, but it is not particularly hard to generate a large volume of reset emails and create confusion.
From an attacker’s perspective, this does not grant access to accounts or sensitive data. It mainly causes users to receive unexpected reset emails and possibly panic or change their passwords. That aligns more with nuisance or malice than with a meaningful breach.
I do not have definitive proof, but based on this behavior it seems plausible that the reported wave of reset emails could be explained without any large scale data leak.
[1] https://www.instagram.com/accounts/password/reset/ (screenshot: https://imgur.com/a/4x5HPLx)
I think there might be an effort in the "security" snake oil industry to classify publicly available data as some sort of breach. Probably because for a security company it's a quick win finding such a "breach" you can generate publicity with and/or scare clueless executives into buying your solution/consultancy services. I think there was a similar "breach" at Twitter where it turns out it was all publicly-available data users themselves put on their public profile that was scraped.
I've personally had people argue with me that disclosing whether an account was registered was a major breach and do "something" about it, yet refuse to change the registration form to also not disclose that fact (since otherwise we'd have to move the registration process behind an emailed link and ask the user to wait for the confirmation email to continue, killing conversion rates).
The "something" was done, and of course the bad guys promptly moved onto the signup form. But hey as far as I know, we're now secure™.
If you’ve pawned my email address, you can get my user names, send email reset, etc, etc.
Instagram response posted on 11-jan: "We fixed an issue that let an external party request password reset emails for some people. There was no breach of our systems and your Instagram accounts are secure. You can ignore those emails — sorry for any confusion" https://xcancel.com/instagram/status/2010202301886238822?s=2...
I doubt they fixed anything. Lol
I also get a bunch of these e-mails from them every few weeks:
Sorry to hear you’re having trouble logging into Instagram. We got a message that you forgot your password. If this was you, you can get right back into your account or reset your password now.
So, I guess you can actually message them, pretend to another user to rese password? I don't follow many people or have many followers. I can't imagine the attempts on other higher valued accounts...
Got one a day or two ago again actually.
Yeah the source is terrible. I'd expect at least some sort of explanation on how they arrived at that conclusion, eg. "someone on breachforums claims to have it for sale" or "some whistleblower at instagram reported". If it's the former, it's possible that instagram themselves aren't at fault, eg. they got it via phishing or credential stuffing.
I’ve got an Instagram burner I literally never use. Never clicked weird links, never logged in anywhere sketchy, so a phishing compromise makes zero sense. If my info got out, it likely came from Instagram’s side, not mine.
What’s interesting is the timing pattern. I started getting “reset your password” emails in early 2023, then they’d come in waves. It feels like the creds were getting resold and different people were taking turns running the same list. The emails were in different languages too, which tracks with whoever was firing off the requests.
Got another reset attempt a couple days ago. Congrats to the latest buyer: you bought pure schwag. Whatever value was in that list got milked long before it ended up public.
> If my info got out, it likely came from Instagram’s side, not mine.
Did you use a burner email account to register? An account that was never used for anything else?
[1] https://www.instagram.com/accounts/password/reset/ (screenshot: https://imgur.com/a/4x5HPLx)
Nobody is buying your account specifically, they're buying it bulk. At that scale the fact that a percentage of accounts are fake/burner/bots is baked whatever the buyer is expecting. If anything, the bigger issue is bot accounts, not random privacy-oriented people's burner accounts.
The original Malwarebytes tweet is incredibly generic.
That’s never happened to me before, wonder if it’s related
"If you received a bunch of password reset requests from Instagram recently, you're not alone."
It's quite perplexed me.
1. There's a map feature where users can assign their location to a photo that was taken. I suppose this could qualify as 'physical address'.
2. Businesses often have their physical addresses as part of their profile.
But anyway, I have Instagram and WhatsApp on my phone. They probably can also see my location (or the SSID of networks around me) and figure out where I live.
They will ask for a ID, then a video, then an ID, then a photo, then an ID, ...
After an undefined number of iterations, they made decide you are real enough, until ...
I would consider this as a favor.
Whoever it is, they just entered your Instagram username in the "To recover your password, enter your username, and we'll email you a reset link" field...
I've long-viewed password managers are mandatory. Every site get its own 20+ character randomly generated password. I don't care if the hash gets leaked. It's not getting cracked. For years this has been 1Password. Initially it was LastPass but 1Password is just more slick.
The annoyance is all the arbitrary rules sites create about you have to use special characters or you can't or they have different, non-overlapping requirements on password length or the absolute worst is forced password rotation.
I don't generally try and get non-tech friends and family use password managers however because it's still kinda clunky to use and generate. Passkeys are kinda better I guess? But they're far from universal and I don't expect them ever to be.
Anyway, this kind of leak from Meta kinda surprises me. Leaking information that ties a physical address to an email address? That's a massive breach and not normally one you expect form a company employing thousands of engineers.
I will say this: IG operates as its own domain within Meta and AFAIK they still use a completely separate code base in Python/Django. Facebook proper is in Hack (almost entirely) and has excellent tooling and systems to detect weak endpoints and PII leaks of this sort such that leaky endpoints (or however this information leaked; I didn't see any details in the article) really just don't happen.
This has long been a point of friction within Meta engineerings. It's defensible to say it's not worth rewriting but IG are constantly playing catch up with what the rest of the company gets for "free". How many billion+ dollar settlements does it take before this equation changes?
And yes I believe that leaking physical addresses is going to cost th ecompany more than a billion dollars. It may get people killed. That's how serious this is.
They are about to get to know about us even more!