I looked into this a bit and I am also skeptical about the leak narrative.
I just checked, and Instagram’s password reset flow allows requesting a reset using an email address, a phone number, or even the username [1]. The username is public information, so triggering password reset emails is relatively easy. At scale you would need IP rotation and some basic automation, but it is not particularly hard to generate a large volume of reset emails and create confusion.
From an attacker’s perspective, this does not grant access to accounts or sensitive data. It mainly causes users to receive unexpected reset emails and possibly panic or change their passwords. That aligns more with nuisance or malice than with a meaningful breach.
I do not have definitive proof, but based on this behavior it seems plausible that the reported wave of reset emails could be explained without any large scale data leak.
> From an attacker’s perspective, this does not grant access to accounts or sensitive data
I think there might be an effort in the "security" snake oil industry to classify publicly available data as some sort of breach. Probably because for a security company it's a quick win finding such a "breach" you can generate publicity with and/or scare clueless executives into buying your solution/consultancy services. I think there was a similar "breach" at Twitter where it turns out it was all publicly-available data users themselves put on their public profile that was scraped.
I've personally had people argue with me that disclosing whether an account was registered was a major breach and do "something" about it, yet refuse to change the registration form to also not disclose that fact (since otherwise we'd have to move the registration process behind an emailed link and ask the user to wait for the confirmation email to continue, killing conversion rates).
The "something" was done, and of course the bad guys promptly moved onto the signup form. But hey as far as I know, we're now secure™.
My Instagram username is <firstinitial><lastname> and I get password reset offers (they say “looks like you’re having trouble logging into Instagram” or something similar) about once a week.
If mailboxes of some people were breached, those reset emails can be used to steal their Instagram accounts. So it can be some other breach being exploited, rather than a vulnerability in Instagram account itself.
Instagram response posted on 11-jan: "We fixed an issue that let an external party request password reset emails for some people. There was no breach of our systems and your Instagram accounts are secure. You can ignore those emails — sorry for any confusion" https://xcancel.com/instagram/status/2010202301886238822?s=2...
My guess is they fixed whatever weakness in their rate limiting allowed an attacker to automate requesting millions of password reset emails. The fix could be as simple as adding a new CAPTCHA to the password reset flow.
Yep I got 2 on Jan 9th. he e-mails come from security@mail.instagram.com
I also get a bunch of these e-mails from them every few weeks:
Sorry to hear you’re having trouble logging into Instagram. We got a message that you forgot your password. If this was you, you can get right back into your account or reset your password now.
So, I guess you can actually message them, pretend to another user to rese password? I don't follow many people or have many followers. I can't imagine the attempts on other higher valued accounts...
I mean, if they knew who was requesting the password reset, then you wouldn’t need to reset the password, just accept whatever auth mechanism allows them to know who is resetting the password.
Yeah the source is terrible. I'd expect at least some sort of explanation on how they arrived at that conclusion, eg. "someone on breachforums claims to have it for sale" or "some whistleblower at instagram reported". If it's the former, it's possible that instagram themselves aren't at fault, eg. they got it via phishing or credential stuffing.
I’ve got an Instagram burner I literally never use. Never clicked weird links, never logged in anywhere sketchy, so a phishing compromise makes zero sense. If my info got out, it likely came from Instagram’s side, not mine.
What’s interesting is the timing pattern. I started getting “reset your password” emails in early 2023, then they’d come in waves. It feels like the creds were getting resold and different people were taking turns running the same list. The emails were in different languages too, which tracks with whoever was firing off the requests.
Got another reset attempt a couple days ago. Congrats to the latest buyer: you bought pure schwag. Whatever value was in that list got milked long before it ended up public.
I just checked, and Instagram’s password reset flow allows requesting a reset using an email address, a phone number, or even the username [1]. The username is public information, so triggering password reset emails is relatively easy.
>Congrats to the latest buyer: you bought pure schwag. Whatever value was in that list got milked long before it ended up public.
Nobody is buying your account specifically, they're buying it bulk. At that scale the fact that a percentage of accounts are fake/burner/bots is baked whatever the buyer is expecting. If anything, the bigger issue is bot accounts, not random privacy-oriented people's burner accounts.
Can anyone point to an actual reputable source that has any details about what specifically got leaked, and how? Instagram has way more users, so it's very odd that only 17.5M get "leaked". Just honestly feels like this is overblown and it's again just scraped data or something.
The original Malwarebytes tweet is incredibly generic.
probably some kind of plugin or app they logged into via instagram but I am not sure what kind of integrations there are, or could it be regional for some reason?
Have not used Instagram in a decade - sincerely curious why would a physical address be part of the leaked data? Are users actually required or voluntarily provide this information to Facecrook?
I use Facebook with the email address that I use for many things, like online shops. Some years ago FB allowed "check what data we have on you" and I learnt that these online shops upload their customer data to FB, so they can target us in the ads they put on FB. Among others, it matches using email... so I'm guessing Zuck has my home address too.
But anyway, I have Instagram and WhatsApp on my phone. They probably can also see my location (or the SSID of networks around me) and figure out where I live.
Most people are incredible naive and willingly provide that information to Facebook/Meta. They even provide real names and videos and pictures of themselves and their relatives to these websites!
You can order things from Shops within the application. I am not an Instagram user so whether this is the only feature that records your address or not, I can't say.
Am I missing something? The source they shared is a screenshot of a password reset email, which anyone can trigger if they have the email address of the account.
Whoever it is, they just entered your Instagram username in the "To recover your password, enter your username, and we'll email you a reset link" field...
One thing I'm curious about is I hear stories about people getting hacked and losing their FB/IG/Tiktok accouts then fighting to get them back. You never hear details but I can only assume they're reusing passwords or they're using guessable passwords. For reference, anything 10 characters or less has to be viewed as guessable in this day and age.
I've long-viewed password managers are mandatory. Every site get its own 20+ character randomly generated password. I don't care if the hash gets leaked. It's not getting cracked. For years this has been 1Password. Initially it was LastPass but 1Password is just more slick.
The annoyance is all the arbitrary rules sites create about you have to use special characters or you can't or they have different, non-overlapping requirements on password length or the absolute worst is forced password rotation.
I don't generally try and get non-tech friends and family use password managers however because it's still kinda clunky to use and generate. Passkeys are kinda better I guess? But they're far from universal and I don't expect them ever to be.
Anyway, this kind of leak from Meta kinda surprises me. Leaking information that ties a physical address to an email address? That's a massive breach and not normally one you expect form a company employing thousands of engineers.
I will say this: IG operates as its own domain within Meta and AFAIK they still use a completely separate code base in Python/Django. Facebook proper is in Hack (almost entirely) and has excellent tooling and systems to detect weak endpoints and PII leaks of this sort such that leaky endpoints (or however this information leaked; I didn't see any details in the article) really just don't happen.
This has long been a point of friction within Meta engineerings. It's defensible to say it's not worth rewriting but IG are constantly playing catch up with what the rest of the company gets for "free". How many billion+ dollar settlements does it take before this equation changes?
And yes I believe that leaking physical addresses is going to cost th ecompany more than a billion dollars. It may get people killed. That's how serious this is.
I just heard lots of AI agents celebrating yet another data breach where they get free private data about lots of users and now can link them up just like this previous breach. [0]
I just checked, and Instagram’s password reset flow allows requesting a reset using an email address, a phone number, or even the username [1]. The username is public information, so triggering password reset emails is relatively easy. At scale you would need IP rotation and some basic automation, but it is not particularly hard to generate a large volume of reset emails and create confusion.
From an attacker’s perspective, this does not grant access to accounts or sensitive data. It mainly causes users to receive unexpected reset emails and possibly panic or change their passwords. That aligns more with nuisance or malice than with a meaningful breach.
I do not have definitive proof, but based on this behavior it seems plausible that the reported wave of reset emails could be explained without any large scale data leak.
[1] https://www.instagram.com/accounts/password/reset/ (screenshot: https://imgur.com/a/4x5HPLx)
I think there might be an effort in the "security" snake oil industry to classify publicly available data as some sort of breach. Probably because for a security company it's a quick win finding such a "breach" you can generate publicity with and/or scare clueless executives into buying your solution/consultancy services. I think there was a similar "breach" at Twitter where it turns out it was all publicly-available data users themselves put on their public profile that was scraped.
I've personally had people argue with me that disclosing whether an account was registered was a major breach and do "something" about it, yet refuse to change the registration form to also not disclose that fact (since otherwise we'd have to move the registration process behind an emailed link and ask the user to wait for the confirmation email to continue, killing conversion rates).
The "something" was done, and of course the bad guys promptly moved onto the signup form. But hey as far as I know, we're now secure™.
If you’ve pawned my email address, you can get my user names, send email reset, etc, etc.
Instagram response posted on 11-jan: "We fixed an issue that let an external party request password reset emails for some people. There was no breach of our systems and your Instagram accounts are secure. You can ignore those emails — sorry for any confusion" https://xcancel.com/instagram/status/2010202301886238822?s=2...
I doubt they fixed anything. Lol
I also get a bunch of these e-mails from them every few weeks:
Sorry to hear you’re having trouble logging into Instagram. We got a message that you forgot your password. If this was you, you can get right back into your account or reset your password now.
So, I guess you can actually message them, pretend to another user to rese password? I don't follow many people or have many followers. I can't imagine the attempts on other higher valued accounts...
Got one a day or two ago again actually.
Yeah the source is terrible. I'd expect at least some sort of explanation on how they arrived at that conclusion, eg. "someone on breachforums claims to have it for sale" or "some whistleblower at instagram reported". If it's the former, it's possible that instagram themselves aren't at fault, eg. they got it via phishing or credential stuffing.
I’ve got an Instagram burner I literally never use. Never clicked weird links, never logged in anywhere sketchy, so a phishing compromise makes zero sense. If my info got out, it likely came from Instagram’s side, not mine.
What’s interesting is the timing pattern. I started getting “reset your password” emails in early 2023, then they’d come in waves. It feels like the creds were getting resold and different people were taking turns running the same list. The emails were in different languages too, which tracks with whoever was firing off the requests.
Got another reset attempt a couple days ago. Congrats to the latest buyer: you bought pure schwag. Whatever value was in that list got milked long before it ended up public.
> If my info got out, it likely came from Instagram’s side, not mine.
Did you use a burner email account to register? An account that was never used for anything else?
[1] https://www.instagram.com/accounts/password/reset/ (screenshot: https://imgur.com/a/4x5HPLx)
Nobody is buying your account specifically, they're buying it bulk. At that scale the fact that a percentage of accounts are fake/burner/bots is baked whatever the buyer is expecting. If anything, the bigger issue is bot accounts, not random privacy-oriented people's burner accounts.
The original Malwarebytes tweet is incredibly generic.
That’s never happened to me before, wonder if it’s related
"If you received a bunch of password reset requests from Instagram recently, you're not alone."
1. There's a map feature where users can assign their location to a photo that was taken. I suppose this could qualify as 'physical address'.
2. Businesses often have their physical addresses as part of their profile.
But anyway, I have Instagram and WhatsApp on my phone. They probably can also see my location (or the SSID of networks around me) and figure out where I live.
They will ask for a ID, then a video, then an ID, then a photo, then an ID, ...
After an undefined number of iterations, they made decide you are real enough, until ...
I would consider this as a favor.
* https://support.1password.com/fastmail/
Whoever it is, they just entered your Instagram username in the "To recover your password, enter your username, and we'll email you a reset link" field...
I've long-viewed password managers are mandatory. Every site get its own 20+ character randomly generated password. I don't care if the hash gets leaked. It's not getting cracked. For years this has been 1Password. Initially it was LastPass but 1Password is just more slick.
The annoyance is all the arbitrary rules sites create about you have to use special characters or you can't or they have different, non-overlapping requirements on password length or the absolute worst is forced password rotation.
I don't generally try and get non-tech friends and family use password managers however because it's still kinda clunky to use and generate. Passkeys are kinda better I guess? But they're far from universal and I don't expect them ever to be.
Anyway, this kind of leak from Meta kinda surprises me. Leaking information that ties a physical address to an email address? That's a massive breach and not normally one you expect form a company employing thousands of engineers.
I will say this: IG operates as its own domain within Meta and AFAIK they still use a completely separate code base in Python/Django. Facebook proper is in Hack (almost entirely) and has excellent tooling and systems to detect weak endpoints and PII leaks of this sort such that leaky endpoints (or however this information leaked; I didn't see any details in the article) really just don't happen.
This has long been a point of friction within Meta engineerings. It's defensible to say it's not worth rewriting but IG are constantly playing catch up with what the rest of the company gets for "free". How many billion+ dollar settlements does it take before this equation changes?
And yes I believe that leaking physical addresses is going to cost th ecompany more than a billion dollars. It may get people killed. That's how serious this is.
They are about to get to know about us even more!
[0] https://news.ycombinator.com/item?id=46530353