- I looked into this a bit and I am also skeptical about the leak narrative.
I just checked, and Instagram’s password reset flow allows requesting a reset using an email address, a phone number, or even the username [1]. The username is public information, so triggering password reset emails is relatively easy. At scale you would need IP rotation and some basic automation, but it is not particularly hard to generate a large volume of reset emails and create confusion.
From an attacker’s perspective, this does not grant access to accounts or sensitive data. It mainly causes users to receive unexpected reset emails and possibly panic or change their passwords. That aligns more with nuisance or malice than with a meaningful breach.
I do not have definitive proof, but based on this behavior it seems plausible that the reported wave of reset emails could be explained without any large scale data leak.
[1] https://www.instagram.com/accounts/password/reset/ (screenshot: https://imgur.com/a/4x5HPLx)
- Source posted on 9-jan: https://news.ycombinator.com/item?id=46571968
Instagram response posted on 11-jan: "We fixed an issue that let an external party request password reset emails for some people. There was no breach of our systems and your Instagram accounts are secure. You can ignore those emails — sorry for any confusion" https://xcancel.com/instagram/status/2010202301886238822?s=2...
- This news answers a bunch of questions I’ve had.
I’ve got an Instagram burner I literally never use. Never clicked weird links, never logged in anywhere sketchy, so a phishing compromise makes zero sense. If my info got out, it likely came from Instagram’s side, not mine.
What’s interesting is the timing pattern. I started getting “reset your password” emails in early 2023, then they’d come in waves. It feels like the creds were getting resold and different people were taking turns running the same list. The emails were in different languages too, which tracks with whoever was firing off the requests.
Got another reset attempt a couple days ago. Congrats to the latest buyer: you bought pure schwag. Whatever value was in that list got milked long before it ended up public.
- Can anyone point to an actual reputable source that has any details about what specifically got leaked, and how? Instagram has way more users, so it's very odd that only 17.5M get "leaked". Just honestly feels like this is overblown and it's again just scraped data or something.
The original Malwarebytes tweet is incredibly generic.
- Someone tried to get into my account 2 days ago by attempting to reset it with “forgot password”
That’s never happened to me before, wonder if it’s related
- > the leak included Instagram usernames, physical addresses, phone numbers, email addresses and more.
- Am I missing something? The source they shared is a screenshot of a password reset email, which anyone can trigger if they have the email address of the account.
- I receive several "Let's help get you back onto Instagram" emails a week, and have for months and months. I can only assume it's someone trying to do something nasty, but I have no idea what it actually could be.
It's quite perplexed me.
- This would be monumental if true, meta data breaches are basically unheard of contrary to popular opinion
- Engadget changed the title - this one should also be edited.
- Wonder if closed / banned / deleted accounts are in that batch
- One thing I'm curious about is I hear stories about people getting hacked and losing their FB/IG/Tiktok accouts then fighting to get them back. You never hear details but I can only assume they're reusing passwords or they're using guessable passwords. For reference, anything 10 characters or less has to be viewed as guessable in this day and age.
I've long-viewed password managers are mandatory. Every site get its own 20+ character randomly generated password. I don't care if the hash gets leaked. It's not getting cracked. For years this has been 1Password. Initially it was LastPass but 1Password is just more slick.
The annoyance is all the arbitrary rules sites create about you have to use special characters or you can't or they have different, non-overlapping requirements on password length or the absolute worst is forced password rotation.
I don't generally try and get non-tech friends and family use password managers however because it's still kinda clunky to use and generate. Passkeys are kinda better I guess? But they're far from universal and I don't expect them ever to be.
Anyway, this kind of leak from Meta kinda surprises me. Leaking information that ties a physical address to an email address? That's a massive breach and not normally one you expect form a company employing thousands of engineers.
I will say this: IG operates as its own domain within Meta and AFAIK they still use a completely separate code base in Python/Django. Facebook proper is in Hack (almost entirely) and has excellent tooling and systems to detect weak endpoints and PII leaks of this sort such that leaky endpoints (or however this information leaked; I didn't see any details in the article) really just don't happen.
This has long been a point of friction within Meta engineerings. It's defensible to say it's not worth rewriting but IG are constantly playing catch up with what the rest of the company gets for "free". How many billion+ dollar settlements does it take before this equation changes?
And yes I believe that leaking physical addresses is going to cost th ecompany more than a billion dollars. It may get people killed. That's how serious this is.
- I just heard lots of AI agents celebrating yet another data breach where they get free private data about lots of users and now can link them up just like this previous breach. [0]
They are about to get to know about us even more!
- can't believe people are still using that shit. i permanently deleted my account last year.
- I'm pretty damn sure MZ bought IG so he could have a monopoly on social communication. "Improve product quality"? Please