Instagram users in various countries received a flood of emails requesting password resets this weekend, even though they didn’t initiate them. Amid claims that the data of 17.5 million profiles was sold on the darknet, the service announced that there was no hack and that the problem with the mailing list had already been fixed.
Instagram users in various countries received a flood of emails requesting password resets this weekend, even though they didn’t initiate them. Amid claims that the data of 17.5 million profiles was sold on the darknet, the service announced that there was no hack and that the problem with the mailing list had already been fixed.
According to Engadget, Instagram explained the incident as an «abuse» of its access recovery mechanism: an external party could trigger emails to be sent to some people without gaining access to their profiles. The company said that the loophole has now been closed, and unexpected password reset emails can be ignored if you have not tried to change your password yourself.
In parallel, Malwarebytes linked the wave of emails to an alleged leak that included logins, email addresses, phone numbers, and other data, and said the set was being offered for sale on underground platforms. The company also suggested that it was a possible fallout from an API access incident in 2024. Instagram has not confirmed these claims and insists that it was a bug that triggered the emails.
The article also recommends basic security steps: enable two-factor authentication, have a unique password, and check which devices are currently signed into your account via the Accounts Center. This doesn’t explain the root cause of the wave of emails, but it does reduce the risk of account hijacking if your data is indeed «walking» somewhere.
Mass emails about resetting your password are often used as a «hook» for phishing: a person is scared with a message and is presented with a fake login page. The safest thing to do is not to click on links in unexpected emails, but to log in to Instagram directly and check the security of your account in the settings.
Previously, dev.ua wrote about how Reuters, citing leaked internal documents from Meta, reported that the social media giant had developed special instructions for its employees on how to make fraudulent advertising on Facebook and Instagram «unsearchable» by law enforcement.
