It’s now been a week since Instagram users started complaining about a surge of password reset emails originating from the Meta-owned social media giant. While the security loophole that enabled that particular attack has now been closed down, according to Instagram, the risk to users is far from over. Security experts at ESET Ireland have now warned that the Instagram API error has created ideal conditions for criminals, and that users should be ready for the next wave of phishing attacks to begin.
Instagram Security Error Has Created Ideal Conditions For Cybercriminals, Experts Have Warned
Unless you have been living under a rock without an internet connection, you will likely have heard about the recent massive surge in Instagram password reset emails that genuine users were inundated with. While Instagram’s own support pages are quick to point out that receiving such a password reset request doesn’t “necessarily mean that your account has been hacked,” I’d suggest that receiving half a dozen of them within the space of a few hours likely does mean that someone is trying to do just that.
In the case of the recent attacks, and that’s exactly what they were, albeit rather impotent ones on the most part, as anyone who had not disabled their two-factor authentication protection would be safe enough, Instagram eventually confirmed that it had “fixed an issue that let an external party request password reset emails for some people.” What it didn’t do, and still hasn’t, is provide me with a statement despite my requests, or answer my questions relating to the incident.
Which is a shame, but I’m not a quitter and have tried again today following an email I received from ESET Ireland that warned Instagram users about a potential threat yet to come. Users should, the ESET email said, “stay alert for phishing and impersonation attempts after a surge in unexpected Instagram password reset emails caused widespread confusion online.” This is because the original incident creates an ideal breeding ground for follow-up phishing attacks.
“A wave of genuine password reset emails creates uncertainty, and that is exactly when phishing spikes,” George Foley, ESET Ireland spokesperson, said. “People are more likely to click, respond, or try to fix the problem through the wrong route.”
The National Cybersecurity Center also confirmed as much, with CEO Greg Oslan stating, “when incidents like this happen, companies struggle to reach users, users struggle to recognize real threats, and too often no one knows what to do, where to go, or who to trust.”
My advice is the same as that offered by ESET and others: ignore all password reset requests unless you have actually requested them, and be especially cautious of any follow-up messages claiming to be from Instagram. If you have any concerns whatsoever, then go directly to Instagram itself using your app to check your account status. I will update this article if Meta gets back to me with a statement.
