Save 10% on our Pro WordPress plugins with discount code: 10PERCENT
Web Dev + WordPress + Security

Reset Instagram Password Spam

For the past year or so, I’ve been getting TONS of email spam from Instagram. Asking if I want to reset my password. The problem is, that the email I use at Instagram is private, and exclusive to Instagram. So there is no way of knowing, no way for anyone to know, my Instagram email address. There is only one possible conclusion: Instagram is spamming its own users.

The “reset password” email sent by Instagram emails look like this:

From: Instagram
Subject: username, we’ve made it easy to get back on Instagram
To: youremailaddress@example.com

Hi username,

Sorry to hear you’re having trouble logging into Instagram. We can help you get straight back into your account.

Login as username

You can also reset your Instagram password.
Didn’t request this email?

Here is a screenshot:

Screenshot of Instagram emailLook familiar?

Anyone else getting a ton of these emails? Is it spam? Something else? In order to find out, I decided to do a little experiment..

Update 2

People continue asking how I ended up dealing with the Instagram email spam. As one reader lamented:

“I’m getting reset password emails every 15 minutes since half 12 last night. It gives me the option of limit the reset emails, however is automatically flicks to another page saying ‘you’ll now get all log in help emails’. Do you have any idea of how I can get around this?!? It’s driving me insane!”

So yeah, how I ended up dealing with the endless Instagram spam is to just add a simple rule in my email filtering list. Any email that contains either of the following:

  • we’ve made it easy to get back on Instagram
  • request to reset your Instagram password

Any email that matches either of those strings is sent automatically to the Trash and marked as read. So I never see the endless flow of Instagram password email spam. Problem solved. Or at least, worked around.

Update 1

After posting this article, a reader sent the following information:

Someone wants your username and hits the recover password to see what happens or if more info is displayed. It has nothing to do with the email you are using or instagram spamming you.

So yeah, that makes sense and seems to be the reason why people are getting so many password-reset emails from Instagram. Apparently there are bots/scripts out there just hammering the Instagram “Forgot Password” form:

Screenshot of Instagram Forgot Password pageScreenshot of Instagram “Forgot Password” page

Notice in the form where it asks for your “Email, phone, or username”. That is the flaw. It enables bad actors to scrape usernames and then hit that form with their kiddie script. So they can spam Instagram users with endless “password reset” emails, just by entering the username. Why would anyone do this? Well, that’s a good question. Probably has something to do with competition and money, imho.

The solution? The problem is that collecting existing usernames is trivial to do, so any random idiot can scrape up hundreds or thousands of usernames and use them to spam users. The solution would be for Instagram to require ONLY email address or phone number for users to reset their password. Remove the option to reset passwords based on username only. This would stop 99% of Instagram “forgot password” spam immediately. Why? Because email addresses and phone numbers are private. So scrapers and scumbags can’t get to them.

But! Instagram does provide a way to limit the login emails. Just click on the “Didn’t request this email?” link, as shown here:

Screenshot of Instagram email with arrow pointing to limit login help linkClick the link to limit the “help” emails for 60 days

Upon clicking that link, you will be taken to a page where you can limit help emails based on your device. As it says on the page:

Only get login help emails from devices where you’ve used Instagram before. This setting will last for the next 60 days.

Looks like this:

Screenshot of Limit Login Help Emails pageClick the button ONLY if you are sure that your device(s) will be recognized

The trick here is trusting that Instagram will be able to recognize the device(s) that you are using. How do they do that? Do they look for a cookie? Do they keep a list of user agents that you have used in the past? I’m not sure, so if anyone has information about how this works, please share in the comments or send an email via my contact form. In the meantime, ONLY click the button to “limit login help emails” if you are comfortable with not being able to recover your password for 60 days.

That ends the update for this post. Thank you to the reader who pointed out that it’s the username that is being used to spam users.

Now back to the original article (and my sneaky little experiment, muhwah haha)..

Time for an experiment

In order to figure out more about the mysterious and frustrating Instagram login spam, I’m going to do some further experiments with my email address, and then follow up on this post. Just wanted to put it out there, to see if I am the only one (surely not), and check if anyone reading happens to have any related infos.

So far, here is a summary of what this is about:

  • I use an email address like instagram@example.com for my Instagram account
  • I have never shared that address with anyone, or used anywhere other than Instagram
  • Awhile ago, after getting plagued with “reset password” spam, I changed the email address to something like instagram2@example.com
  • Then a while after that, still getting IG spam, so changed again to instgrm3@example.com
  • Still today, I continue to get bombarded with “password reset” spam from Instagram

So it seems obvious after over a year playing this game, that Instagram is spamming its own users. But I’m still not sure 100%. It could be some clever script/bot that is “guessing” email addresses, like anything “instagram” (or variation) followed by numbers, etc. Whatever the algorithm is, I am going to test it by using a completely random, complex string for my next Instagram email address. Something like:

6YwcyyE9VM8YarvTh7Dx@example.com

So it’s like a strong password that can’t be guessed by some automated script.

Hypothesis:

If I continue to receive “password reset” spam after changing my email address to something impossible to “guess”, then it will be proven that Instagram is spamming its own users. Or user, if I happen to be the only one, lol.

Anyway that’s the idea. Again, will report back either way with the results.

Update! In case you missed it, this case has been solved. Check out the Update section, above.

If you have any related infos as to what’s happening with the endless Instagram login spam, please share in the comments or drop a line via my contact form.

Jeff Starr
About the Author
Jeff Starr = Designer. Developer. Producer. Writer. Editor. Etc.
BBQ Pro: The fastest firewall to protect your WordPress.

5 responses to “Reset Instagram Password Spam”

  1. I’ve had 31 “sorry you’re having trouble” or password reset emails from Instagram just since May last year. I’ve got 2FA on, selected my authorised devices, submitted support requests, everything it doesn’t stop. They are definitely from Instagram as they’re in the security options on the app.

    Also I noticed that only some of the emails have a “This wasn’t me” option, not all of them. I’m hoping that you can find a solution, eagerly awaiting updates and happy to add my name to some kind of Do Better petition/open letter if there is one.

    It’s not even like I have an account worth hacking into, not that many followers!

  2. Hello! I’ve gotten 3 of these emails in the past few weeks. The only difference in mine is that doesn’t have the “Didn’t request this email?” link. So I don’t know how to limit getting them. When I’ve gotten them I’ve been concerned that it’s someone trying to get into my account so I’ve changed the password twice now. Clearly that’s not helping. Any ideas?

  3. I do not have a button that says ‘I did not request this email’ any advice how to proceed?

  4. My emails don’t have the “I did not request this email” button…

Leave a Reply to Maggie Cancel

Name and email required. Email kept private. Basic markup allowed. Please wrap any small/single-line code snippets with <code> tags. Wrap any long/multi-line snippets with <pre><code> tags. For more info, check out the Comment Policy and Privacy Policy.

Subscribe to comments on this post

Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
WP Themes In Depth: Build and sell awesome WordPress themes.
Thoughts
W3C.org has a very thorough list of accessibility tools.
The more you wake up, the more you realize you are still asleep.
7G Firewall v1.4 now available!
I would pay twice as much for a shorter/smaller/lighter phone.
Taking a much needed break in August :)
The Web was better before social media.
WP 5.8 Gutenberg/Block Widgets is breaking many sites. Fortunately Disable Gutenberg makes it easy to restore Classic Widgets with a click.
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.