Over the past few days, numerous Instagram users received an email regarding a password reset request. Around the same time, it was reported that cybercriminals had scraped the personal data of over 17 million users and that recent password reset phishing emails were linked to it. Well, Instagram says it has fixed the issue, while denying any data breach.
What happened?
Numerous users on X, including HaveIBeenPwned founder Troy Hunt, and Reddit shared screenshots of a suspicious Instagram password reset email in their inbox. Separately, cybersecurity firm Malwarebytes shared that hackers stole personal details of millions of users, and the data (which includes usernames, physical addresses, phone numbers, and email addresses) was listed for sale on the dark web.
Instagram says it has fixed the issue and that users can conveniently ignore those emails. “We fixed an issue that let an external party request password reset emails for some people,” the company shared on X. Additionally, the company denied any instance of a data breach that may have exposed personal data of users.
However, we recommend that you go ahead and change the Instagram password from within the app’s accounts center, especially if you haven’t set up two-step authentication for login.
How to stay safe?
Scammers often impersonate businesses or even support executives to lure users into sharing their personal information. The recent wave of password reset emails that was sent to Instagram users is one such strategy. The links shared in such emails often lead users to pages where hackers either spoof a legitimate webpage or have set up other digital traps to extract sensitive information such as login credentials, credit card details, and more.
The first course of action is to check the sender’s email address and carefully look for any weird spelling mistakes. It’s best to verify these email addresses against the official support page of a company or service. Second, look for a blue checkmark against the email. Legitimate businesses, including Instagram, use such checkmarks next to the email address.
As a standard rule, never click on any links or buttons in such password emails unless you are sure about the sender’s identity. Also, make sure your accounts are protected by multi-factor or two-factor authentication. Using passkeys is one of the most convenient and safest options, as it locks identity verification behind biometric checks, such as face and fingerprint unlock.
