I looked into this a bit and I am also skeptical about the leak narrative.
I just checked, and Instagram’s password reset flow allows requesting a reset using an email address, a phone number, or even the username [1]. The username is public information, so triggering password reset emails is relatively easy. At scale you would need IP rotation and some basic automation, but it is not particularly hard to generate a large volume of reset emails and create confusion.
From an attacker’s perspective, this does not grant access to accounts or sensitive data. It mainly causes users to receive unexpected reset emails and possibly panic or change their passwords. That aligns more with nuisance or malice than with a meaningful breach.
I do not have definitive proof, but based on this behavior it seems plausible that the reported wave of reset emails could be explained without any large scale data leak.
[1] https://www.instagram.com/accounts/password/reset/ (screenshot: https://imgur.com/a/4x5HPLx)
> From an attacker’s perspective, this does not grant access to accounts or sensitive data
I think there might be an effort in the "security" snake oil industry to classify publicly available data as some sort of breach. Probably because for a security company it's a quick win finding such a "breach" you can generate publicity with and/or scare clueless executives into buying your solution/consultancy services. I think there was a similar "breach" at Twitter where it turns out it was all publicly-available data users themselves put on their public profile that was scraped.
I've personally had people argue with me that disclosing whether an account was registered was a major breach and do "something" about it, yet refuse to change the registration form to also not disclose that fact (since otherwise we'd have to move the registration process behind an emailed link and ask the user to wait for the confirmation email to continue, killing conversion rates).
The "something" was done, and of course the bad guys promptly moved onto the signup form. But hey as far as I know, we're now secure™.
My Instagram username is <firstinitial><lastname> and I get password reset offers (they say “looks like you’re having trouble logging into Instagram” or something similar) about once a week.
Same, on average. I'll go a few weeks without any, then one or two per day for a while.
If mailboxes of some people were breached, those reset emails can be used to steal their Instagram accounts. So it can be some other breach being exploited, rather than a vulnerability in Instagram account itself.
If my mailbox is breached, Instagram will be the least of my worries.
Password reset emails usually contain a token that expires rather quickly so unless I’m missing something, this should be a non-issue.
But you can generate such emails with a public username
Yep. And if you also have access to my email, you can already look at it to figure out exactly what services I have an account with.
If you’ve pawned my email address, you can get my user names, send email reset, etc, etc.
Or the email address you have already hacked into. Why both with the username at that point.
And that would also apply to everything. What else? Banks.
It wouldn't be reported as an Instagram breach, in that case.
Skeptical? There's not even a clear claim of what the leaked information is? There just appears to be no leak at all.
Source posted on 9-jan: https://news.ycombinator.com/item?id=46571968
Instagram response posted on 11-jan: "We fixed an issue that let an external party request password reset emails for some people. There was no breach of our systems and your Instagram accounts are secure. You can ignore those emails — sorry for any confusion" https://xcancel.com/instagram/status/2010202301886238822?s=2...
I get email reset passwords from IG at least once a month.
I doubt they fixed anything. Lol
My guess is they fixed whatever weakness in their rate limiting allowed an attacker to automate requesting millions of password reset emails. The fix could be as simple as adding a new CAPTCHA to the password reset flow.
Yep I got 2 on Jan 9th. he e-mails come from security@mail.instagram.com
I also get a bunch of these e-mails from them every few weeks:
Sorry to hear you’re having trouble logging into Instagram. We got a message that you forgot your password. If this was you, you can get right back into your account or reset your password now.
So, I guess you can actually message them, pretend to another user to rese password? I don't follow many people or have many followers. I can't imagine the attempts on other higher valued accounts...
I get those for account I never registered or confirmed email for. I just keep reporting them as phishing they are...
I’m 100% convinced they send those out purposefully to encourage users to log back in.
Same, it's very weird. Only ever IG.
Got one a day or two ago again actually.
Same here, I got one on January 9th.
I mean, if they knew who was requesting the password reset, then you wouldn’t need to reset the password, just accept whatever auth mechanism allows them to know who is resetting the password.
I honestly thought it was a "hey, we're still here, you should log in" dark pattern. (My account's been unused for years).
>Source posted on 9-jan: https://news.ycombinator.com/item?id=46571968
Yeah the source is terrible. I'd expect at least some sort of explanation on how they arrived at that conclusion, eg. "someone on breachforums claims to have it for sale" or "some whistleblower at instagram reported". If it's the former, it's possible that instagram themselves aren't at fault, eg. they got it via phishing or credential stuffing.
I received a password reset request email just yesterday. Not sure what they fixed.
This news answers a bunch of questions I’ve had.
I’ve got an Instagram burner I literally never use. Never clicked weird links, never logged in anywhere sketchy, so a phishing compromise makes zero sense. If my info got out, it likely came from Instagram’s side, not mine.
What’s interesting is the timing pattern. I started getting “reset your password” emails in early 2023, then they’d come in waves. It feels like the creds were getting resold and different people were taking turns running the same list. The emails were in different languages too, which tracks with whoever was firing off the requests.
Got another reset attempt a couple days ago. Congrats to the latest buyer: you bought pure schwag. Whatever value was in that list got milked long before it ended up public.
Instagram password reset can start from an email address.
> If my info got out, it likely came from Instagram’s side, not mine.
Did you use a burner email account to register? An account that was never used for anything else?
I just checked, and Instagram’s password reset flow allows requesting a reset using an email address, a phone number, or even the username [1]. The username is public information, so triggering password reset emails is relatively easy.
[1] https://www.instagram.com/accounts/password/reset/ (screenshot: https://imgur.com/a/4x5HPLx)
Ahhhhh, no. This account was registered pre hide-my-email days.
Yeah, common surprise point for services that have any form of username recovery from email.
>Congrats to the latest buyer: you bought pure schwag. Whatever value was in that list got milked long before it ended up public.
Nobody is buying your account specifically, they're buying it bulk. At that scale the fact that a percentage of accounts are fake/burner/bots is baked whatever the buyer is expecting. If anything, the bigger issue is bot accounts, not random privacy-oriented people's burner accounts.
Can anyone point to an actual reputable source that has any details about what specifically got leaked, and how? Instagram has way more users, so it's very odd that only 17.5M get "leaked". Just honestly feels like this is overblown and it's again just scraped data or something.
The original Malwarebytes tweet is incredibly generic.
probably some kind of plugin or app they logged into via instagram but I am not sure what kind of integrations there are, or could it be regional for some reason?
Someone tried to get into my account 2 days ago by attempting to reset it with “forgot password”
That’s never happened to me before, wonder if it’s related
The first line in the article alludes to this:
"If you received a bunch of password reset requests from Instagram recently, you're not alone."
Wow, exactly the same issue for me, and for two different accounts of mine!
Same for me. Also never happened to me before
Yes, it happened a couple of days ago on my hidden non active account. I had it for 13 years and it never happened before.
> the leak included Instagram usernames, physical addresses, phone numbers, email addresses and more.
Have not used Instagram in a decade - sincerely curious why would a physical address be part of the leaked data? Are users actually required or voluntarily provide this information to Facecrook?
My guess is that it might a couple things:
1. There's a map feature where users can assign their location to a photo that was taken. I suppose this could qualify as 'physical address'.
2. Businesses often have their physical addresses as part of their profile.
You can order things from Shops within the application. I am not an Instagram user so whether this is the only feature that records your address or not, I can't say.
I use Facebook with the email address that I use for many things, like online shops. Some years ago FB allowed "check what data we have on you" and I learnt that these online shops upload their customer data to FB, so they can target us in the ads they put on FB. Among others, it matches using email... so I'm guessing Zuck has my home address too.
But anyway, I have Instagram and WhatsApp on my phone. They probably can also see my location (or the SSID of networks around me) and figure out where I live.
Most people are incredible naive and willingly provide that information to Facebook/Meta. They even provide real names and videos and pictures of themselves and their relatives to these websites!
Sometimes Meta decides you are not real or your name is not real and block your account.
They will ask for a ID, then a video, then an ID, then a photo, then an ID, ...
After an undefined number of iterations, they made decide you are real enough, until ...
> block your account.
I would consider this as a favor.
I receive several "Let's help get you back onto Instagram" emails a week, and have for months and months. I can only assume it's someone trying to do something nasty, but I have no idea what it actually could be.
It's quite perplexed me.
Am I missing something? The source they shared is a screenshot of a password reset email, which anyone can trigger if they have the email address of the account.
You don't even need the email address. The account name is enough to start the password request.
I have a masked email* for Instagram and have received two password reset requests in the last five days. Obviously, this is just an anecdote.
So what if you have masked emails...
Whoever it is, they just entered your Instagram username in the "To recover your password, enter your username, and we'll email you a reset link" field...
This would be monumental if true, meta data breaches are basically unheard of contrary to popular opinion
Engadget changed the title - this one should also be edited.
Wonder if closed / banned / deleted accounts are in that batch
One thing I'm curious about is I hear stories about people getting hacked and losing their FB/IG/Tiktok accouts then fighting to get them back. You never hear details but I can only assume they're reusing passwords or they're using guessable passwords. For reference, anything 10 characters or less has to be viewed as guessable in this day and age.
I've long-viewed password managers are mandatory. Every site get its own 20+ character randomly generated password. I don't care if the hash gets leaked. It's not getting cracked. For years this has been 1Password. Initially it was LastPass but 1Password is just more slick.
The annoyance is all the arbitrary rules sites create about you have to use special characters or you can't or they have different, non-overlapping requirements on password length or the absolute worst is forced password rotation.
I don't generally try and get non-tech friends and family use password managers however because it's still kinda clunky to use and generate. Passkeys are kinda better I guess? But they're far from universal and I don't expect them ever to be.
Anyway, this kind of leak from Meta kinda surprises me. Leaking information that ties a physical address to an email address? That's a massive breach and not normally one you expect form a company employing thousands of engineers.
I will say this: IG operates as its own domain within Meta and AFAIK they still use a completely separate code base in Python/Django. Facebook proper is in Hack (almost entirely) and has excellent tooling and systems to detect weak endpoints and PII leaks of this sort such that leaky endpoints (or however this information leaked; I didn't see any details in the article) really just don't happen.
This has long been a point of friction within Meta engineerings. It's defensible to say it's not worth rewriting but IG are constantly playing catch up with what the rest of the company gets for "free". How many billion+ dollar settlements does it take before this equation changes?
And yes I believe that leaking physical addresses is going to cost th ecompany more than a billion dollars. It may get people killed. That's how serious this is.
I just heard lots of AI agents celebrating yet another data breach where they get free private data about lots of users and now can link them up just like this previous breach. [0]
They are about to get to know about us even more!
can't believe people are still using that shit. i permanently deleted my account last year.
I'm pretty damn sure MZ bought IG so he could have a monopoly on social communication. "Improve product quality"? Please