The Digital Security Digest, by Freedom of the Press Foundation (FPF), is a weekly newsletter with security tips that keep you, your sources, and your devices safe. If someone shared this newsletter with you, please subscribe here.
Instagram users hit with influx of password reset emails
Last week I received a password reset email from Instagram. Then another. I showed my partner, and apparently the same thing happened to them. Honestly, I thought we were dealing with a targeted attack. It turns out we were just two of the countless users who received a rush of unexpected password reset emails.
The problem became so widespread that Instagram had to intervene over the weekend. Posting on X, Instagram denied that it experienced a breach, suggesting, “We fixed an issue that let an external party request password reset emails for some people. There was no breach of our systems and your Instagram accounts are secure.” Read more.
What you can do
Instagram’s password reset email is pretty clear: If you didn’t request the email, you don’t have to do anything. But it doesn’t hurt to lock down your accounts, and to develop some habits that will help you navigate other password reset attacks down the road.
- Go to the website yourself. Attackers exploited an issue with Instagram that allowed them to flood users with password reset requests, so these weren’t fraudulent emails from an impersonator. But sometimes attackers will use these password reset emails as lures to scare you into clicking a fake phishing email, before you can take a breath and think it through. This does not just apply to Instagram — if you receive a suspicious email that you did not request, you don’t need to click on any links in the email. Just in case, you can always navigate to the website yourself. Read our guide on how to identify phishing attacks.
- Use two-factor authentication. Even if someone did manage to access your password, they will have a tough time getting into your account if you set up two-factor authentication — a requirement to enter a second piece of information beyond the password when you log in. This is typically a short code sent to your phone using text messages, or an app like Google Authenticator. Make sure it’s enabled on your Instagram account. If you want to learn more about even stronger options for maximizing account security, read our guides to two-factor authentication and passkeys for passwordless logins.
Our team is always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.
Best,
Martin
–
Martin Shelton
Deputy Director of Digital Security
Freedom of the Press Foundation
