Plugin Sale! Save 15% on pro plugins with discount code: NEWYEAR2021
Web Dev + WordPress + Security

Reset Instagram Password Spam

For the past year or so, I’ve been getting TONS of email spam from Instagram. Asking if I want to reset my password. The problem is, that the email I use at Instagram is private, and exclusive to Instagram. So there is no way of knowing, no way for anyone to know, my Instagram email address. There is only one possible conclusion: Instagram is spamming its own users.

The “reset password” email sent by Instagram emails look like this:

From: Instagram
Subject: username, we’ve made it easy to get back on Instagram
To: youremailaddress@example.com

Hi username,

Sorry to hear you’re having trouble logging into Instagram. We can help you get straight back into your account.

Login as username

You can also reset your Instagram password.
Didn’t request this email?

Here is a screenshot:

Screenshot of Instagram emailLook familiar?

Anyone else getting a ton of these emails? Is it spam? Something else? In order to find out, I decided to do a little experiment..

Update!

After posting this article, a reader sent the following information:

Someone wants your username and hits the recover password to see what happens or if more info is displayed. It has nothing to do with the email you are using or instagram spamming you.

So yeah, that makes sense and seems to be the reason why people are getting so many password-reset emails from Instagram. Apparently there are bots/scripts out there just hammering the Instagram “Forgot Password” form:

Screenshot of Instagram Forgot Password pageScreenshot of Instagram “Forgot Password” page

Notice in the form where it asks for your “Email, phone, or username”. That is the flaw. It enables bad actors to scrape usernames and then hit that form with their kiddie script. So they can spam Instagram users with endless “password reset” emails, just by entering the username. Why would anyone do this? Well, that’s a good question. Probably has something to do with competition and money, imho.

The solution? The problem is that collecting existing usernames is trivial to do, so any random idiot can scrape up hundreds or thousands of usernames and use them to spam users. The solution would be for Instagram to require ONLY email address or phone number for users to reset their password. Remove the option to reset passwords based on username only. This would stop 99% of Instagram “forgot password” spam immediately. Why? Because email addresses and phone numbers are private. So scrapers and scumbags can’t get to them.

But! Instagram does provide a way to limit the login emails. Just click on the “Didn’t request this email?” link, as shown here:

Screenshot of Instagram email with arrow pointing to limit login help linkClick the link to limit the “help” emails for 60 days

Upon clicking that link, you will be taken to a page where you can limit help emails based on your device. As it says on the page:

Only get login help emails from devices where you’ve used Instagram before. This setting will last for the next 60 days.

Looks like this:

Screenshot of Limit Login Help Emails pageClick the button ONLY if you are sure that your device(s) will be recognized

The trick here is trusting that Instagram will be able to recognize the device(s) that you are using. How do they do that? Do they look for a cookie? Do they keep a list of user agents that you have used in the past? I’m not sure, so if anyone has information about how this works, please share in the comments or send an email via my contact form. In the meantime, ONLY click the button to “limit login help emails” if you are comfortable with not being able to recover your password for 60 days.

That ends the update for this post. Thank you to the reader who pointed out that it’s the username that is being used to spam users.

Now back to the original article (and my sneaky little experiment, muhwah haha)..

Time for an experiment

In order to figure out more about the mysterious and frustrating Instagram login spam, I’m going to do some further experiments with my email address, and then follow up on this post. Just wanted to put it out there, to see if I am the only one (surely not), and check if anyone reading happens to have any related infos.

So far, here is a summary of what this is about:

  • I use an email address like instagram@example.com for my Instagram account
  • I have never shared that address with anyone, or used anywhere other than Instagram
  • Awhile ago, after getting plagued with “reset password” spam, I changed the email address to something like instagram2@example.com
  • Then a while after that, still getting IG spam, so changed again to instgrm3@example.com
  • Still today, I continue to get bombarded with “password reset” spam from Instagram

So it seems obvious after over a year playing this game, that Instagram is spamming its own users. But I’m still not sure 100%. It could be some clever script/bot that is “guessing” email addresses, like anything “instagram” (or variation) followed by numbers, etc. Whatever the algorithm is, I am going to test it by using a completely random, complex string for my next Instagram email address. Something like:

6YwcyyE9VM8YarvTh7Dx@example.com

So it’s like a strong password that can’t be guessed by some automated script.

Hypothesis:

If I continue to receive “password reset” spam after changing my email address to something impossible to “guess”, then it will be proven that Instagram is spamming its own users. Or user, if I happen to be the only one, lol.

Anyway that’s the idea. Again, will report back either way with the results.

Update! In case you missed it, this case has been solved. Check out the Update section, above.

If you have any related infos as to what’s happening with the endless Instagram login spam, please share in the comments or drop a line via my contact form.

Jeff Starr
About the Author
Jeff Starr = Web Developer. Book Author. Secretly Important.
.htaccess made easy: Improve site performance and security.

Leave a reply

Name and email required. Email kept private. Basic markup allowed. Please wrap any small/single-line code snippets with <code> tags. Wrap any long/multi-line snippets with <pre><code> tags. For more info, check out the Comment Policy and Privacy Policy.

Subscribe to comments on this post

Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
USP Pro: Unlimited front-end forms for user-submitted posts and more.
Thoughts
Simply Static is my go-to plugin for generating static HTML versions of WordPress sites. Works flawlessly.
Note to self: never, ever, ever buy any CD or DVD from eBay. Every single time the discs are scratched, damaged, missing, fake, or worse. Never again you clowns.
Find out if a plugin works with the latest version of WordPress @ plugintests.com
Going through all of my data, deleting all the chaff. Going for less than 500 GB total data storage.
Finally deleted all the cool unused placeholder Twitter accounts that I signed up for years ago. I will never use them.
After several years with Dashlane, I've moved on to a simpler, better solution.
After 10+ years, finally moved the last of my sites away from Media Temple.
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.