Instagram users are being warned to stay vigilant and watch out for suspicious emails claiming that their passwords need to be reset. It appears that a bug in the Meta-owned platform’s system has been allowing cyber crooks to issue the urgent alert, with some reports suggesting that millions of accounts may have been affected. Instagram has now responded to the danger, with the social media giant saying it has now patched the issue and all accounts remain secure.

The company also states that passwords do not need to be reset and users must simply disregard the message if it lands in their inbox.

Speaking to Bleeping Computer, Instagram said: “We fixed an issue that allowed an external party to request password reset emails for some Instagram users.

“We want to reassure everyone there was no breach of our systems and people’s Instagram accounts remain secure. People can disregard these emails and we apologise for any confusion this may have caused.”

It’s currently unclear how widespread the issue is and how many people have been caught up in the drama. However, the cyber team at Malwarebytes recently posted a message on X (formerly Twitter) saying that over 17 million Instagram accounts may have been compromised – although this has not been confirmed by Meta.

“Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more,” Malwarebytes posted.

“If you haven’t enabled two-factor authentication on your Instagram account, today is a great day to do so.”

Whether this hack is real or not, this latest Instagram attack highlights the importance of keeping accounts secure by using things such as two-factor authentication. As always it’s a good idea not to click on links embedded in emails or hand any data over to people unless you know they are from Instagram. Following those rules should keep things safe.

“Following reports of widespread Instagram password reset prompts, many users were left questioning whether their accounts were compromised,” said Mayur Upadhyaya, CEO of security firm APIContext.

“Following reports of widespread Instagram password reset prompts, many users were left questioning whether their accounts were compromised. Even when accounts aren’t breached, a wave of password reset requests can shake user confidence. It’s a reminder of how critical it is to monitor from both the inside and outside, catching abnormal behaviour before it escalates. If you’re only watching internal systems, you might miss what real users are experiencing. That outside-in signal is often where trust gets tested first.”