Instagram password reset attacks — What you need to check right now

Instagram users worldwide are receiving unexpected password reset emails, and they should be cautious before clicking or responding, as cybercriminals may be exploiting the platform’s user base through a simple yet effective tactic.

Davey Winder, a senior contributor to Forbes and a veteran cybersecurity writer, hacker, and analyst, said he was among those who received a legitimate-looking email on Friday, seemingly from Instagram, claiming the company had received a request to reset his account password.

The email included a big, blue Reset Password button, along with the message, “If you ignore this message, your password will not be changed. If you didn't request a password reset, let us know.”

According to Forbes, hackers are relying on users to panic and click the button or the “let us know” hyperlink without thinking.

Experts say that while users should avoid clicking the Reset Password button in suspicious emails, attackers would still need additional information to successfully access accounts.

Instagram states that receiving a password reset email does not automatically indicate a breach, as it could result from user error, such as mistyping the email address. Emails from Instagram are only sent from @mail.instagram.com, and messages from other addresses may be phishing attempts, according to Instagram’s Help Center.

However, the recent spike in password reset requests is likely linked to a hacker posting data on 17.5 million Instagram accounts on BreachForums, just hours before users began reporting the surge, according to Forbes.

The Independent has contacted Meta representatives for comment.

To protect accounts, Instagram recommends enabling two-factor authentication, which requires a code to log in from unrecognized devices.

The platform enables 2FA by default for creator accounts, but all users are encouraged to verify that the feature is active.

Instagram also offers a recovery process for compromised accounts. Full instructions for checking and managing 2FA are available in the company’s Help Center.

If a user’s Instagram account is compromised or they are unable to log in, the company recommends visiting instagram.com/hacked to secure the account.

Users should also secure their email accounts with unique passwords that differ from their social media passwords, preventing hackers from accessing multiple accounts if one password is compromised.