Millions of Instagram users worldwide have reported an unexpected password reset email delivery leading to heightened concerns of a data breach amid closer evaluations of major tech companies account protection tools.
The notifications which started spreading widely in the past few days alarmed numerous users into thinking that their accounts had been hacked.
Posts on various social networks included pics of what appeared to be genuine emails stating that there was an attempted login via a password reset despite no login activities having taken place by the user. For some people these messages came in waves.
Meta, the parent firm of Instagram also has not confirmed a massive breach of their systems.
If someone enters their own username and/or email address in an attempt to reset someone else’s password, it is possible that an email will be sent to them requesting that they change their password.
A wave of password reset emails can indicate automated attempts to probe large swathes of accounts using data obtained elsewhere, email addresses exposed in unrelated breaches, for instance.
In those cases, attackers are merely testing whether details match active Instagram accounts rather than accessing Instagram internal databases.
For Australian users, the episode has revived concerns about data protection and platform accountability with Australians still among the favorite targets for phishing and account takeovers.
Some said their accounts were subsequently locked or required additional verification but for others, nothing further happened beyond the email.
That mixed experience suggests that in many cases the messages were precautionary rather than evidence of a successful compromise.
Meta previously guided the users to not click on links from suspicious emails but rather check security notifications directly in the Instagram app.
The guidance also includes using strong, unique passwords for each account and two factor authentication which radically cuts the chances of unauthorized access even if login details are guessed or reused.
The incident highlights a broader policy issue confronting governments and regulators.
In Australia, the federal government has flagged reforms to privacy and cybersecurity laws to lift standards for companies holding vast sums of user information.
They say services should be mandated to put into words the distinction between what might just be an unsuccessful attempt at logging in with incorrect credentials, a credential stuffing attack and a confirmed data breach.
For now, there is no evidence that has surfaced publicly suggesting that the core systems of Instagram have been breached in this episode.
The scale of the password reset emails however, caused a reminder that even without a hack the ecosystem of leaked data and automated attacks keeps on creating real anxiety for millions of users.
Australians who are worried about their accounts have been advised to check the recent login activity, change passwords that might have been used elsewhere and enable other security features.
They should also avoid emails that create urgency or fear without being clearly verified.
