Book Sale! Save 20% on WordPress books with discount code: SAVE20
Web Dev + WordPress + Security

Reset Instagram Password Spam

For the past year or so, I’ve been getting TONS of email spam from Instagram. Asking if I want to reset my password. The problem is, that the email I use at Instagram is private, and exclusive to Instagram. So there is no way of knowing, no way for anyone to know, my Instagram email address. There is only one possible conclusion: Instagram is spamming its own users.

The “reset password” email sent by Instagram emails look like this:

From: Instagram
Subject: username, we’ve made it easy to get back on Instagram

Hi username,

Sorry to hear you’re having trouble logging into Instagram. We can help you get straight back into your account.

Login as username

You can also reset your Instagram password.
Didn’t request this email?

Here is a screenshot:

Screenshot of Instagram emailLook familiar?

Anyone else getting a ton of these emails? Is it spam? Something else? In order to find out, I decided to do a little experiment..


After posting this article, a reader sent the following information:

Someone wants your username and hits the recover password to see what happens or if more info is displayed. It has nothing to do with the email you are using or instagram spamming you.

So yeah, that makes sense and seems to be the reason why people are getting so many password-reset emails from Instagram. Apparently there are bots/scripts out there just hammering the Instagram “Forgot Password” form:

Screenshot of Instagram Forgot Password pageScreenshot of Instagram “Forgot Password” page

Notice in the form where it asks for your “Email, phone, or username”. That is the flaw. It enables bad actors to scrape usernames and then hit that form with their kiddie script. So they can spam Instagram users with endless “password reset” emails, just by entering the username. Why would anyone do this? Well, that’s a good question. Probably has something to do with competition and money, imho.

The solution? The problem is that collecting existing usernames is trivial to do, so any random idiot can scrape up hundreds or thousands of usernames and use them to spam users. The solution would be for Instagram to require ONLY email address or phone number for users to reset their password. Remove the option to reset passwords based on username only. This would stop 99% of Instagram “forgot password” spam immediately. Why? Because email addresses and phone numbers are private. So scrapers and scumbags can’t get to them.

But! Instagram does provide a way to limit the login emails. Just click on the “Didn’t request this email?” link, as shown here:

Screenshot of Instagram email with arrow pointing to limit login help linkClick the link to limit the “help” emails for 60 days

Upon clicking that link, you will be taken to a page where you can limit help emails based on your device. As it says on the page:

Only get login help emails from devices where you’ve used Instagram before. This setting will last for the next 60 days.

Looks like this:

Screenshot of Limit Login Help Emails pageClick the button ONLY if you are sure that your device(s) will be recognized

The trick here is trusting that Instagram will be able to recognize the device(s) that you are using. How do they do that? Do they look for a cookie? Do they keep a list of user agents that you have used in the past? I’m not sure, so if anyone has information about how this works, please share in the comments or send an email via my contact form. In the meantime, ONLY click the button to “limit login help emails” if you are comfortable with not being able to recover your password for 60 days.

That ends the update for this post. Thank you to the reader who pointed out that it’s the username that is being used to spam users.

Now back to the original article (and my sneaky little experiment, muhwah haha)..

Time for an experiment

In order to figure out more about the mysterious and frustrating Instagram login spam, I’m going to do some further experiments with my email address, and then follow up on this post. Just wanted to put it out there, to see if I am the only one (surely not), and check if anyone reading happens to have any related infos.

So far, here is a summary of what this is about:

  • I use an email address like for my Instagram account
  • I have never shared that address with anyone, or used anywhere other than Instagram
  • Awhile ago, after getting plagued with “reset password” spam, I changed the email address to something like
  • Then a while after that, still getting IG spam, so changed again to
  • Still today, I continue to get bombarded with “password reset” spam from Instagram

So it seems obvious after over a year playing this game, that Instagram is spamming its own users. But I’m still not sure 100%. It could be some clever script/bot that is “guessing” email addresses, like anything “instagram” (or variation) followed by numbers, etc. Whatever the algorithm is, I am going to test it by using a completely random, complex string for my next Instagram email address. Something like:

So it’s like a strong password that can’t be guessed by some automated script.


If I continue to receive “password reset” spam after changing my email address to something impossible to “guess”, then it will be proven that Instagram is spamming its own users. Or user, if I happen to be the only one, lol.

Anyway that’s the idea. Again, will report back either way with the results.

Update! In case you missed it, this case has been solved. Check out the Update section, above.

If you have any related infos as to what’s happening with the endless Instagram login spam, please share in the comments or drop a line via my contact form.

Jeff Starr
About the Author
Jeff Starr = Web Developer. Security Specialist. WordPress Buff.
WP Themes In Depth: Build and sell awesome WordPress themes.
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
The Tao of WordPress: Master the art of WordPress.
Currently having a blast redesigning Plugin Planet, so much work so little time.
Thanks to David McCan over at WebTNG for the awesome BBQ Pro review.
Enjoyed a nice mini-vacation with my fam. Great way to recharge and regroup.
Nice little interview with yours truly over at ThemeIsle. WordPress, web dev & more!
Perishable Press celebrating 16 years online! An incredible, rewarding journey.
Thanks to Nicholas Ferrell for his excellent and thorough review of Wutsearch search-engine launchpad.
Great article about using RSS as a Facebook alternative. I use RSS/feeds for news every day. Facebook, not so much.
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.