Instagram users across the UK and globally are being urged to exercise extreme caution after a sharp rise in convincing password reset emails, many of which are likely phishing attempts by cybercriminals.
The Anatomy of the Attack
The scam is deceptively simple. Users receive an email that appears legitimate, claiming Instagram has received a request to reset their account password. The message typically features a prominent 'Reset Password' button and a secondary link to report if the user didn't make the request. According to cybersecurity expert Davey Winder, a senior Forbes contributor, hackers are banking on users panicking and clicking without thinking.
Instagram's official stance is that receiving such an email doesn't necessarily mean a breach has occurred; it could stem from a simple typo when someone enters an email address. However, the timing is highly suspicious. Forbes reports that just hours before users began reporting the surge, a hacker posted data on 17.5 million Instagram accounts on the BreachForums platform.
How to Identify a Legitimate Instagram Email
The most critical check is the sender's address. Instagram confirms it only sends emails from domains ending in '@mail.instagram.com'. Any message claiming to be from Instagram but sent from a different address is a phishing attempt. Users should scrutinise the sender details carefully before interacting with any links or buttons in the email.
Essential Steps to Secure Your Account
Even if attackers trick you into clicking, they would still need additional information to access your account. The primary defence is enabling two-factor authentication (2FA). This adds a second layer of security by requiring a unique login code from an authenticator app or SMS when signing in from an unrecognised device.
Instagram enables 2FA by default for creator accounts, but all users should manually verify it is active for their profile. Full instructions for managing 2FA are available in Instagram's Help Centre. Furthermore, users should ensure their email account is secured with a unique, strong password that is different from their social media passwords, preventing a single breach from compromising multiple accounts.
If you believe your account has already been compromised, or you are locked out, Instagram directs users to visit instagram.com/hacked for a dedicated recovery process. The Independent has contacted Meta, Instagram's parent company, for further comment on the ongoing situation.
