Instagram password reset attacks highlight two-factor authentication questions

Meta said it fixed an issue that allowed external parties to request password reset emails and stated there was no breach of its systems; a dataset reported to contain 17.5 million Instagram account records was posted to a dark web forum around the same time, and Instagram's support material notes two-factor authentication is available and enabled by default for creator accounts.

Instagram users reported a wave of unrequested password reset emails in early January. Meta posted a brief statement saying it had fixed an issue that let external parties request such emails and that there was no systems breach. Around the same time, a dataset reported to include 17.5 million Instagram account records appeared on a dark web forum. Instagram's support material highlights two-factor authentication and cautions about third-party app access. Known details: - Meta announced it fixed an issue that allowed external parties to request password reset emails and stated there was no breach of its systems. - A dataset reported to contain 17.5 million Instagram account records was published to a dark web forum and has been linked to earlier API-scraped data. - Users across the platform reported a surge in unrequested password reset notifications coinciding with the dataset's publication. - Instagram's support documentation notes that two-factor authentication is available and that it is enabled by default for creator accounts. Summary: Meta's public statement is brief and reports a technical fix and no systems breach; the dataset's public distribution coincided with the surge in reset notifications. Current public status is limited to the company's statement and related support guidance. Undetermined at this time.