For the past year or so, I’ve been getting TONS of email spam from Instagram. Asking if I want to reset my password. The problem is, that the email I use at Instagram is private, and exclusive to Instagram. So there is no way of knowing, no way for anyone to know, my Instagram email address. There is only one possible conclusion: Instagram is spamming its own users.
The “reset password” email sent by Instagram emails look like this:
Subject: username, we’ve made it easy to get back on Instagram
Sorry to hear you’re having trouble logging into Instagram. We can help you get straight back into your account.
Login as username
You can also reset your Instagram password.
Didn’t request this email?
Here is a screenshot:
Anyone else getting a ton of these emails? Is it spam? Something else? In order to find out, I decided to do a little experiment..
After posting this article, a reader sent the following information:
Someone wants your username and hits the recover password to see what happens or if more info is displayed. It has nothing to do with the email you are using or instagram spamming you.
So yeah, that makes sense and seems to be the reason why people are getting so many password-reset emails from Instagram. Apparently there are bots/scripts out there just hammering the Instagram “Forgot Password” form:
Notice in the form where it asks for your “Email, phone, or username”. That is the flaw. It enables bad actors to scrape usernames and then hit that form with their kiddie script. So they can spam Instagram users with endless “password reset” emails, just by entering the username. Why would anyone do this? Well, that’s a good question. Probably has something to do with competition and money, imho.
The solution? The problem is that collecting existing usernames is trivial to do, so any random idiot can scrape up hundreds or thousands of usernames and use them to spam users. The solution would be for Instagram to require ONLY email address or phone number for users to reset their password. Remove the option to reset passwords based on username only. This would stop 99% of Instagram “forgot password” spam immediately. Why? Because email addresses and phone numbers are private. So scrapers and scumbags can’t get to them.
But! Instagram does provide a way to limit the login emails. Just click on the “Didn’t request this email?” link, as shown here:
Upon clicking that link, you will be taken to a page where you can limit help emails based on your device. As it says on the page:
Only get login help emails from devices where you’ve used Instagram before. This setting will last for the next 60 days.
Looks like this:
The trick here is trusting that Instagram will be able to recognize the device(s) that you are using. How do they do that? Do they look for a cookie? Do they keep a list of user agents that you have used in the past? I’m not sure, so if anyone has information about how this works, please share in the comments or send an email via my contact form. In the meantime, ONLY click the button to “limit login help emails” if you are comfortable with not being able to recover your password for 60 days.
That ends the update for this post. Thank you to the reader who pointed out that it’s the username that is being used to spam users.
Now back to the original article (and my sneaky little experiment, muhwah haha)..
Time for an experiment
In order to figure out more about the mysterious and frustrating Instagram login spam, I’m going to do some further experiments with my email address, and then follow up on this post. Just wanted to put it out there, to see if I am the only one (surely not), and check if anyone reading happens to have any related infos.
So far, here is a summary of what this is about:
- I use an email address like
email@example.com my Instagram account
- I have never shared that address with anyone, or used anywhere other than Instagram
- Awhile ago, after getting plagued with “reset password” spam, I changed the email address to something like
- Then a while after that, still getting IG spam, so changed again to
- Still today, I continue to get bombarded with “password reset” spam from Instagram
So it seems obvious after over a year playing this game, that Instagram is spamming its own users. But I’m still not sure 100%. It could be some clever script/bot that is “guessing” email addresses, like anything “instagram” (or variation) followed by numbers, etc. Whatever the algorithm is, I am going to test it by using a completely random, complex string for my next Instagram email address. Something like:
So it’s like a strong password that can’t be guessed by some automated script.
If I continue to receive “password reset” spam after changing my email address to something impossible to “guess”, then it will be proven that Instagram is spamming its own users. Or user, if I happen to be the only one, lol.
Anyway that’s the idea. Again, will report back either way with the results.
If you have any related infos as to what’s happening with the endless Instagram login spam, please share in the comments or drop a line via my contact form.