Instagram users were sent password reset emails recently that they didn’t request, but Instagram says there was no breach of their system.
there was no breach of their system
Which is technically correct. By the way, the “breach” is in hibp’s database now. Although there were no password leaks, the leaked information is still rather sensitive.
Yeah I tried to go into what I thought the issue was really, which is services like instagram collecting your email in the first place. If they didn’t do that then there wouldn’t be any data to accidentally leak. And of course it all ties back to passwords being terrible, if they were using passkeys instead then there wouldn’t be the need for a password reset mechanism in the first place either.
Correct me if I’m wrong here, but doesn’t Facebook use passkeys and/or hardware security keys / passwordless logins? Kinda odd that Instagram doesn’t.
It looks like they ask for your email/phone number anyway but yes they seem to support passkeys on Facebook, very inconsistent and weird.