If you received an unsolicited password reset email from Instagram in recent days, you don’t need to panic. These messages don’t appear to be the result of a new data breach or account compromise, but rather a bug that Meta claims it has now fixed.
Following a wave of suspicious account recovery requests, antivirus software provider Malwarebytes posted a warning on Jan. 9 that threat actors had stolen personal information from 17.5 million Instagram accounts. As BleepingComputer reports, there have been various claims that hackers have obtained Instagram account data from multiple API scraping incidents in the last several years but notes that there haven’t been any confirmed incidents nor definitive proof of a new breach. Meta has said the issue was the result of a bug that allowed threat actors to request password reset emails, which it has since patched, and denies that user data has actually been compromised.
Of course, data breaches aren’t uncommon, and Meta platforms have been targeted in the past. So you should still practice good digital hygiene and stay vigilant to phishing attempts that could indicate account compromise.
How to keep your Instagram account secure
If you do receive an Instagram password reset email that you didn’t request, you don’t need to do anything with it. You can just ignore and delete the message. In general, you should avoid clicking links in security-related messages that seem urgent or sound scary (again, if you didn’t initiate account recovery) as these can be phishing attempts designed to steal your credentials or other sensitive information. If you do want to change a password or update other security details for any account, you should go directly to the website or app and do so there.
What do you think so far?
If you haven’t already, you can (and should) enable two-factor authentication (2FA) for Instagram. On the mobile app, open the Menu from your profile page and go to Accounts Center > Password and security > Two-factor authentication. You can choose to receive login codes via authentication app (like Google Authenticator or Duo), SMS, or WhatsApp. As I’ve written, not all 2FA methods are created equal: SMS codes are especially easily phished, so an authentication app is probably your best option here.
Finally, you can check for suspicious devices logged into your Instagram account under Accounts Center > Password and security > Where you’re logged in. If you see any devices you don’t recognize, select it and tap Log out.
