It is happening to many Italian users, often suddenly and without obvious signs. You open your email or look at a notification on your phone and a message appears that immediately alarms you: “We received a request to reset your Instagram password”. Everything seems normal, even reassuring. And that’s exactly the problem.
There Instagram account scam which has been circulating in recent weeks plays on slippery ground, where true and false are too similar. The message is constructed like the official ones, with the same graphics, the same language, the same buttons. The user, fearing that someone is trying to enter his profile, clicks to defend himself. But that click, instead of protecting, opens the door wide.
The mechanism that exploits the fear of losing everything
The heart of the scam is simple and ruthless. The link contained in the email or notification does not lead to an official Instagram page, but to a clone site, an almost perfect copy. Here you are asked to enter your current password “for security”. A gesture that seems logical, especially when you are convinced you are under attack.
It is precisely at that moment that the account is handed over to the scammers. No forcing, no alarms, no obvious warnings. Just an apparently correct procedure, which takes advantage of the urgency and trust built over the years by a platform used every day by millions of people.
Within a few minutes, whoever got their hands on the credentials changes the email address associated with the profile, modifies the recovery data and disconnects the legitimate owner from each device. Smartphones, computers, tablets: everything out. Recovering the account becomes very difficult, sometimes impossible.
What Instagram says and why the situation is more complex than it seems
Amid reports of missing profiles and widespread alarm, Meta has clarified its position. Instagram claims it has not lost its database or password. No maxi-hacking, therefore, according to the official version.
The platform instead spoke of a technical problem which would have allowed external parties to generate password reset requests for some real accounts. In practice, many reset emails would have been sent by the system without users having requested them. True emails in form, coming from authentic, but unexpected domains.
At the same time, some cybersecurity companies, including Malwarebytes, report the online circulation of data attributable to millions of Instagram accounts. This would be information such as email addresses and telephone numbers, which ended up on dark web forums and markets and potentially used for targeted phishing campaigns.
Meta denied that this exposure derives from a recent breach of Instagram’s systems, but the data remains relevant: even without directly hacking the platform, personal information already disclosed can make fraudulent emails and messages more credible, increasing the risk for users.
We fixed an issue that let an external party request password reset emails for some people. There was no breach of our systems and your Instagram accounts are secure.
You can ignore those emails — sorry for any confusion.
— Instagram (@instagram) January 11, 2026
And this is where the short circuit is created. Because when a communication is indistinguishable from official ones, even the most attentive user can lower their guard. In this climate of confusion, scammers did the rest, replicating those same communications and inserting fraudulent links capable of intercepting real passwords.
Instagram urged users to ignore unsolicited reset requests and assured that it had resolved the anomaly. But the damage, at least for many, was already done.
