My guess is they fixed whatever weakness in their rate limiting allowed an attacker to automate requesting millions of password reset emails. The fix could be as simple as adding a new CAPTCHA to the password reset flow.
Yep I got 2 on Jan 9th. he e-mails come from security@mail.instagram.com
I also get a bunch of these e-mails from them every few weeks:
Sorry to hear you’re having trouble logging into Instagram. We got a message that you forgot your password. If this was you, you can get right back into your account or reset your password now.
So, I guess you can actually message them, pretend to another user to rese password? I don't follow many people or have many followers. I can't imagine the attempts on other higher valued accounts...
I mean, if they knew who was requesting the password reset, then you wouldn’t need to reset the password, just accept whatever auth mechanism allows them to know who is resetting the password.
Yeah the source is terrible. I'd expect at least some sort of explanation on how they arrived at that conclusion, eg. "someone on breachforums claims to have it for sale" or "some whistleblower at instagram reported". If it's the former, it's possible that instagram themselves aren't at fault, eg. they got it via phishing or credential stuffing.
I get email reset passwords from IG at least once a month.
I doubt they fixed anything. Lol
My guess is they fixed whatever weakness in their rate limiting allowed an attacker to automate requesting millions of password reset emails. The fix could be as simple as adding a new CAPTCHA to the password reset flow.
Yep I got 2 on Jan 9th. he e-mails come from security@mail.instagram.com
I also get a bunch of these e-mails from them every few weeks:
Sorry to hear you’re having trouble logging into Instagram. We got a message that you forgot your password. If this was you, you can get right back into your account or reset your password now.
So, I guess you can actually message them, pretend to another user to rese password? I don't follow many people or have many followers. I can't imagine the attempts on other higher valued accounts...
I get those for account I never registered or confirmed email for. I just keep reporting them as phishing they are...
Same, it's very weird. Only ever IG.
Got one a day or two ago again actually.
Same here, I got one on January 9th.
I honestly thought it was a "hey, we're still here, you should log in" dark pattern. (My account's been unused for years).
I mean, if they knew who was requesting the password reset, then you wouldn’t need to reset the password, just accept whatever auth mechanism allows them to know who is resetting the password.
I’m 100% convinced they send those out purposefully to encourage users to log back in.
>Source posted on 9-jan: https://news.ycombinator.com/item?id=46571968
Yeah the source is terrible. I'd expect at least some sort of explanation on how they arrived at that conclusion, eg. "someone on breachforums claims to have it for sale" or "some whistleblower at instagram reported". If it's the former, it's possible that instagram themselves aren't at fault, eg. they got it via phishing or credential stuffing.
I received a password reset request email just yesterday. Not sure what they fixed.
I’m confident that is the breach/attack/whatever they are discussing.