Comment by cheald
I receive several "Let's help get you back onto Instagram" emails a week, and have for months and months. I can only assume it's someone trying to do something nasty, but I have no idea what it actually could be.
It's quite perplexed me.
Someone seems to be running a campaign like this with Amazon accounts currently. I don't know the password reset process for Instagram, but maybe a similar thing could be happening that people assumed is behind the Amazon wave:
Amazon sends you a 6-digit code to reset your password. The code is valid for five minutes before a new one is generated. I don't know what the rate limit is, but even if you can just try five times within those five minutes, your chance of guessing it right would be 1 in 200,000. Now assume the attackers are running this on several million accounts in parallel, and you can assume they'd be able to steal a few accounts just with lucky guesses.
It worried me enough that I removed my phone number from my account, through which the password reset requests were initiated. The absolute risk for each user may be low, but overall it seems like a terrible system with regards to security.