You’ve probably seen the recent media brouhaha about a supposed data breach at Instagram affecting more than 17 million users.
The story unfolded something like this:
Consensus seems to be that data was not stolen, which implies that criminals got hold of data that was never meant to be public, but probably “scraped” at some time, which implies that public data was downloaded, albeit on a much larger scale than a human user working alone could achieve.
Companies who offer web services that allow users to be searched for online, based on data that those users have already agreed to make public, usually implement some sort of rate limiting.
This aims to make searching tools fast and helpful for humans who want to search for specific users, for example by name, but slow and unusable by automatic software scripts that aim to “search” for everyone in one go, rather than for someone specific.
Vague searches might be rejected entirely, telling you to provide more information to narrow the search, or might be presented in small batches with delays between each batch.
The idea is that humans don’t want to scan through hundreds of search results at a time, and would take quite some time to do so anyway, so requiring them to improve their search criteria is pretty much telling them to do what they’d naturally do anyway.
On the other hand, automated scraping tools that aren’t interested in finding someone, but rather in acquiring a list of everyone for misuse later, get slowed down or thwarted by this sort of rate-limiting intervention.
This is a the same sort of idea that makes an 8-digit passcode on your mobile phone relatively safe, but an 8-character password on a web account rather risky.
Phone passcodes can’t be “tried out” offline, but must be physically entered on the phone itself, and the phone gets to choose how long it makes you wait between each guess.
The device generally increases the wait after two or three wrong answers, thus slowing things down even more.
A one-second wait after putting in one wrong code by hand won’t inconvenience a legitimate user at all, and ramping up to a 10-second wait after two or three fumbles is a modest price to pay if you’re the genuine owner of the phone.
But a robot phone-tapping device (such things exist) that can type in passcodes tirelessly in the hope of breaking in would be in trouble, because trying all possible 8-digit passcodes, of which there are 100 million, would take one billion seconds at 10 seconds per guess, which is more than 30 years (and modern phones increase the delay to much longer than 10 seconds after a few wrong goes).
An API (application programming interface) leak, as claimed in the dark web post offering this data for sale, therefore suggests that the data was acquired by someone who used a legitimate web-based query interface for retrieving public data, but found an illegitimate or unintended loophole that allowed them to “overdo” things, such as sidestepping any rate limiting or query-rejection tools and downloading millions of items at a time.
That’s if the dark web vendor is telling the truth, of course. (The BBC, for example, suggests that the data may have been scraped back in 2022, perhaps when different rate limits or query protections were in place.)
That’s not the same as a full-on breach, and further suggests that although individual users might be surprised to see their contact data packaged up in a giant database of this sort, they wouldn’t find any data in there that they hadn’t already made public.
But it still leaves the question, “What about all those password reset emails?”
Well, bogus password resets – if we assume your email account itself is secure – aren’t directly harmful.
If you do reset your own password unnecessarily, it’s still your password, so that doesn’t help an attacker.
If you ignore the request, then that doesn’t help attackers either. (If they already know your password, they’re unlikely to ask you to reset it, just in case you do just that and lock them out!)
That’s just as well, because unintended or malicious password resets are trivial to trigger these days on online services.
Loosely speaking, almost anyone can trigger a password reset request on your account if they know your username or your email address.
But unexpected and unwanted password requests are at best unnerving, and at worst could scare some users, especially those who have been scammed before, into taking undesirable or insecure steps out of fear, thinking they’re protecting themselves.
(Of course, you’d expect, or at least hope, that major online services would apply the same sort of rate limiting to password reset requests as they do to queries against user profiles, if only to minimize the number of bogus reset requests that a criminal or trouble-stirrer could trigger each day.)
So, although this sounds a bit like a “nothing-to-see-here” story, with unwanted but mostly harmless password resets that may be related to email addresses that were dubiously acquired (but not strictly “breached”) some years ago․․․
․․․the final bullet point in the saga is intriguing and unexpected.
That’s because Instagram’s final response was to say:
We fixed an issue that let an external party request password reset emails for some people.
There was no breach of our systems.
As we’ve already said, the list of external parties who could request a password reset on your account, simply by knowing your username or email, includes practically anyone on the planet.
The theory is that this process is simple and effective if you really are locked out, but isn’t a risk if someone else triggers a reset request – unwanted password requests may be annoying, but they don’t really help an attacker to hack your account.
But who was the mysterious external party in this case?
Did they have special authority to automate password resets without any rate-limiting controls, and if so why?
Why did they issue unwanted password reset requests at all, regardless of rate?
Was this a bug in this third-party’s own systems, or was there a more sinister cause such as a disgruntled insider, or a breach in their service?
And the final question is: If these password reset emails were unwanted but not the result of a security lapse that could affect your password, what’s the right thing to do now?
It seems ironic to go and change your password, given that the original reset emails were erroneous and unnecessary.
At the same time, it seems worthwhile changing your password anyway, given that the original reset emails were the result of an “external party” whose erroneous behavior has not been explained.
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
