Instagram says an influX in unwanted new password reset emails was not due to a hack. The company attributed the spike to a third party initiating legitimate reset workflows and said it has pushed a fix to block that activity.
What Instagram Says Happened With Password Resets
In a statement posted to X, Instagram said it had “fixed an issue that allowed an attacker to access contact information,” and consequently the company was alerted to the fact that some accounts’ email addresses were exposed. The company noted the affected emails were real notifications sent by Instagram, not phishing emails.
Details are slim, but the description suggests abuse of a public-facing workflow rather than an attack on a system. In practical terms, a third party seems to have automated the requests, so that actual reset emails went out to users en masse: an irritation that can damage trust even if no accounts are taken over.
Researchers Flag Possible Connection to Earlier Leak
Some security researchers have speculated on a larger context. Malwarebytes said the wave of resets came as rumors swirled in cyber networks linked to a stash containing data from 17.5 million Instagram accounts. The activity might be connected to a 2024 API incident in which a database containing over 17 million user records, purportedly including names, emails, and phone numbers, was leaked, CyberInsider reported separately.
Instagram has not verified any link between those datasets and the subsequent reset requests. But the operative theory without forensic detail is correlation, not causation. It’s not new, but the timing reinforces how data that has been exposed elsewhere is frequently at the root of abuse down the line, from credential stuffing to auto-prompts designed to obfuscate or befuddle users.
Password Reset Flows: A Playground for Attackers
The password reset mechanism is located at the intersection of security and usability. If rate limits, CAPTCHA challenges, or behavioral checks are too loose, attackers will script attack traffic, sending legitimate reset emails to real mailboxes. Such “notification bombing” could be used to harass victims, hide other signals, or try to socially engineer a response.
Well-designed controls (e.g., per-account cool-downs, reputation checks for IPs and devices, and friction scaling with risk) are advised in frameworks like OWASP ASVS. Email authentication (SPF, DKIM, DMARC) does help to make sure that messages are authentic, but it can’t stop a bad actor from causing authentic emails to be sent if the workflow through which they’re being sent is abused.
Protecting Your Account Now: Steps You Can Take
If you did not request a password reset, just disregard the email and don’t click any links within it. Instead, open the Instagram app or site directly and change your password in account settings to invalidate any outstanding reset tokens.
Turn on two-factor authentication with an authenticator app, which is stronger than SMS, and look over your login activity for any unrecognized devices or locations. Revoke sessions you don’t recognize, and use it to prune the third-party app connections that put you at risk.
Maybe you should move to strong, unique passphrases from a trusted and secure password manager instead. If your device supports passkeys, turning them on can block whole classes of credential-based attacks by replacing passwords with a chip-level authentication system.
Why Platforms Should Care About Reset Abuse Risks
Events like these also reemphasize a gap that exists between “no breach” and “no problem.” And even when attackers aren’t able to get in, they can undermine user confidence by subverting the notification channels. It’s why platforms more and more use layered defenses—adaptive throttling, device fingerprinting, signed short-lived reset tokens, in-app notifications that mirror email.
Clear communications also matter. Quick acknowledgment, clear guidance, and openness about the steps to recovery can help reduce confusion and minimize social engineering risk. The FBI’s Internet Crime Complaint Center has reported an increase in consumer losses associated with account compromise and fraud activity, further underscoring the necessity for resilient recovery and reset flows to be a front-line investment for any large platform.
And for users, the takeaway is still simple: if you get an unexpected security email, it should serve as a signal to check your account from a trusted path—not click through.
For Instagram and its peers, fortifying public workflows against abuse—even when systems aren’t compromised—is simply the norm for trust and safety at scale.