The recent wave of Instagram account reset emails which impacted 17.5 million users didn’t rely on sophisticated exploits. Instead, it exposed something closer to home, which really is around the weaknesses in standard account recovery processes combined with predictable user behaviour. Like clicking the ‘reset password’ link when the email from Instagram comes through.
“Meta said that this incident was not a breach or hack but stemmed from a bug in Instagram’s password-reset function that was exploited. The problem is that in 2022, Instagram’s API was scraped, collecting public or semi-public information from 17.5 million accounts,” said Zbyněk Sopuch, CTO at Safetica.
At the centre of the issue was the abuse of legitimate platform functionality, specifically password reset workflows, alongside inconsistent user security hygiene.
Dr. Stephen Boyce, CEO of The Cyber Doctor, says the mechanics of the incident should raise serious questions about how large consumer platforms still handle identity verification.
“The fact that users, or in this case, a system, could perform a password reset without being challenged is mind-boggling,” Dr. Boyce said.
In regulated industries like finance, password resets are treated as high-risk events, often requiring layered verification beyond multi-factor authentication (MFA). Social platforms, however, continue to treat them as a convenience feature, despite the scale and value of the accounts they protect.
“Many other platforms, such as in banking, have closed this loophole to challenge the password reset in addition to MFA; however, in Instagram’s case, it appears the actors were able to circumvent that security control,” Dr. Boyce commented.
The accounts that were compromised belonged to users who interacted with the reset request, giving attackers the opportunity to extract newly created credentials through social engineering or bypass MFA by stealing authentication tokens.
“This data included usernames, full names, email addresses, phone numbers, and partial physical addresses. It looks like some attackers could have combined the password-reset bug with this leaked data for more targeted attacks,” added Mr. Sopuch.
The attack did not require malware installation or direct system intrusion. It relied on trust, urgency, and existing platform design choices.
According to Boyce, users who ignored the password reset emails were not impacted.
“As long as you didn’t click the hyperlink, your password wouldn’t have been reset,” he explained.
This incident leads to a broader industry issue which is a growing challenge across consumer technology platforms like Instagram. Legitimate access paths are being weaponised. As perimeter defences improve, attackers are shifting toward workflows that were never designed with adversarial abuse in mind.
“There does not seem to be many reports of people having their Instagram accounts taken over, but anyone receiving the password-reset email should be on alert. People should change their passwords and set up two-factor authentication as a first step,” Sopuch went on to say.
Of course, multi-factor authentication remains necessary, but it is no longer sufficient on its own at the end of the day. Without stronger controls around reset flows, session management and behavioural verification, MFA can be bypassed without triggering alarms – case in point, the popular social media platform.
Instagram’s situation is not unique and it likely won’t be the last of its kind, unfortunately.
“Everyone should be wary of unsolicited password reset requests from social media, e-commerce, and similar sites. Do not click through on any link. Go to the page or app to log-in independently. We expect AI-enabled phishing attacks to rise in 2026, especially with the personal data that is already available on the dark web,” commented Sopuch.
Password resets are no longer a support function, they are a primary attack surface and are impacting social media users.
