After spotting an advertisement for the personal information of celebrities on an underground forum, researchers at Kaspersky Lab have discovered a hole in the cyber-armour of Instagram.

That hole comes in the form of a bug that allowed hackers to circumvent the image sharing service’s security measures.

Kaspersky said that the hackers used an outdated version of the Instagram app (version 8.5.1) to select the password-reset option. The attackers used a web proxy to capture the request. That request then had the username changed to the name of a targeted celebrity.

From there the Instagram server would respond with the targets personal information.

If that sounds a bit complex that’s because it is. In a report by Ars Technica a Kaspersky Lab representative said that each attack had to be done manually rather than a script doing all the work.

The bug has been fixed and Instagram is currently conducting an investigation. The firm says that it knows of at least one person who exploited this bug.

“Our main concern is for the safety and security of our community. At this point, we believe this effort was targeted at high-profile users so, out of an abundance of caution, we are notifying our verified account holders of this issue,” Instagram said in a statement.

Celebrity or not we recommend enabling two-factor authentication for your account. You never know when cyber criminals might strike.