Instagram Password Reset Emails Sent Out to Users Unprompted

Instagram users were sent password reset emails recently that they didn’t request, but Instagram says there was no breach of their system.

Malwarebytes reported that the sensitive data of over 17.5 million Instagram accounts was compromised:

Instagram claims that there was no breach of their systems:

While these statements might seem contradictory, they really aren’t. The way that most of our online accounts are set up allows anyone to send out a password reset email to anyone by typing their email into the bar. You can try it for yourself right now (sorry bob@gmail.com).

Now this in and of itself doesn’t provide access to your account, but it sure can spook you. But if anyone were to intercept this reset email, they would be able to reset your password and have full access to your account.

For most of our accounts, the email address tied to your account completely overrides your password, meaning anyone who has access to your emails has full reign to take over your accounts.

The reason for this is because people forget their passwords, so they need a way to reset them. Everyone has an email address so that is the obvious choice for a recovery method.

These password reset emails are also never end-to-end encrypted, meaning your email service provider, their email service provider, or anyone listening in on their system can intercept your emails.

So in order to change the paradigm of services asking for your email on signup, we need to get rid of passwords for online accounts first.

Passkeys are stored on your device and can be synced with your password manager, so as long as you can get into your password manager, you will be able to log in to your account. This replaces the email recovery paradigm with password managers, removing the need for services to collect email in the first place or have a recovery feature at all since it’s all handled by the password manager.

Unfortunately, even when a service adopts passkey support, they tend to still require an email. We should push services to stop collecting unnecessary data such as email addresses and phone numbers so we don’t need to worry about data breaches so much when they inevitably happen. Even when there’s not a data breach, services using email addresses and phone numbers expose unnecessary attack surface to their users through “features” like account recovery.

Companies should embrace data minimalism and collect only the minimum data they absolutely need in order to provide their service. Otherwise, they leave their users exposed to data breaches and themselves exposed to lawsuits. The technology exists to solve this problem, we just need to embrace it.