I looked into this a bit and I am also skeptical about the leak narrative.
I just checked, and Instagram’s password reset flow allows requesting a reset using an email address, a phone number, or even the username [1]. The username is public information, so triggering password reset emails is relatively easy. At scale you would need IP rotation and some basic automation, but it is not particularly hard to generate a large volume of reset emails and create confusion.
From an attacker’s perspective, this does not grant access to accounts or sensitive data. It mainly causes users to receive unexpected reset emails and possibly panic or change their passwords. That aligns more with nuisance or malice than with a meaningful breach.
I do not have definitive proof, but based on this behavior it seems plausible that the reported wave of reset emails could be explained without any large scale data leak.
[1] https://www.instagram.com/accounts/password/reset/ (screenshot: https://imgur.com/a/4x5HPLx)
> From an attacker’s perspective, this does not grant access to accounts or sensitive data
I think there might be an effort in the "security" snake oil industry to classify publicly available data as some sort of breach. Probably because for a security company it's a quick win finding such a "breach" you can generate publicity with and/or scare clueless executives into buying your solution/consultancy services. I think there was a similar "breach" at Twitter where it turns out it was all publicly-available data users themselves put on their public profile that was scraped.
I've personally had people argue with me that disclosing whether an account was registered was a major breach and do "something" about it, yet refuse to change the registration form to also not disclose that fact (since otherwise we'd have to move the registration process behind an emailed link and ask the user to wait for the confirmation email to continue, killing conversion rates).
The "something" was done, and of course the bad guys promptly moved onto the signup form. But hey as far as I know, we're now secure™.
My Instagram username is <firstinitial><lastname> and I get password reset offers (they say “looks like you’re having trouble logging into Instagram” or something similar) about once a week.
Same, on average. I'll go a few weeks without any, then one or two per day for a while.
If mailboxes of some people were breached, those reset emails can be used to steal their Instagram accounts. So it can be some other breach being exploited, rather than a vulnerability in Instagram account itself.
If my mailbox is breached, Instagram will be the least of my worries.
Password reset emails usually contain a token that expires rather quickly so unless I’m missing something, this should be a non-issue.
But you can generate such emails with a public username
Yep. And if you also have access to my email, you can already look at it to figure out exactly what services I have an account with.
If you’ve pawned my email address, you can get my user names, send email reset, etc, etc.
Or the email address you have already hacked into. Why both with the username at that point.
And that would also apply to everything. What else? Banks.
It wouldn't be reported as an Instagram breach, in that case.
Skeptical? There's not even a clear claim of what the leaked information is? There just appears to be no leak at all.