Over the past few days, a wave of Instagram users has encountered an unusual email prompting them to change their passwords. The message indicates that the platform detected a reset request from the user's device.
Although plenty of recipients wisely disregarded the notice amid concerns it might be a scam designed to steal credentials, the alert actually came directly from Instagram itself.
Outlets like BleepingComputer have covered reports of a significant breach exposing details from around 17 million Instagram profiles, based on discussions in online communities.
The compromised information reportedly includes usernames and user IDs for roughly 17 million accounts, along with 12 million full names, 6 million email addresses, and 3 million mobile numbers. Notably, no login credentials were part of this exposure.
Instagram quickly addressed the matter in an official response. A company representative explained to BleepingComputer that a glitch enabled third parties to trigger password reset notifications for certain users, but this did not involve any unauthorized access to stored information.
The platform emphasized that users face no risk and can safely dismiss the messages without taking any additional steps.
"We resolved a glitch that allowed an outside entity to initiate password reset emails for select users. Our systems remain intact, and Instagram profiles are safe. Feel free to disregard these notices—we apologize for the mix-up."
If this technical hiccup isn't the source of the reported breach, it prompts questions about the data's true origin. Analysts suggest it stems from a separate incident earlier in 2024, while some sources point to events from 2022.
Instagram has made no acknowledgment of those potential breaches. The most recent verified compromise at the company occurred in 2017.
In the meantime, cybersecurity expert Troy Hunt has updated his Have I Been Pwned database to include 6 million Instagram-linked email addresses. Given Hunt's track record in tracking such events, this lends credence to the idea that the data ties back to the platform's recent technical issue.
Receiving an unsolicited password reset prompt from Instagram doesn't signal a compromised account. As noted, no passwords were exposed in the incident. That said, users should heighten awareness of phishing risks and verify if their email appears in the latest Have I Been Pwned listings.
To enhance protection, enable two-factor authentication on your Instagram profile if it's not already active—this adds a vital layer against unauthorized entry. For guidance on implementing two-factor authentication across your accounts, refer to relevant resources.
This piece originated from our affiliate outlet PC-WELT and was adapted from its German version.