- A data breach exposed around 17.5 million Instagram accounts, says Malwarebytes
- Leaked data includes usernames, emails, phone numbers, and partial physical addresses
- Data likely came from an Instagram API leak posted on BreachForums in January 2024
A data breach affecting around 17.5 million Instagram accounts has been reported by cybersecurity firm Malwarebytes. The leaked data is already being shared freely on hacker forums and the dark web, putting millions of users at risk.
Malwarebytes said it found the data during routine dark web monitoring. The leaked information includes usernames, full names, email addresses, phone numbers, partial physical addresses, and other contact details.
Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more. pic.twitter.com/LXvjjQ5VXL
— Malwarebytes (@Malwarebytes) January 9, 2026
Malwarebytes warned that the scale of the exposed data significantly increases the risk of abuse. Attackers are likely to exploit this information in impersonation attacks, phishing campaigns, and credential harvesting attempts, especially by leveraging Instagram's password reset mechanism to gain access to user accounts, the firm cautioned.
Source Of The Leak
The data is believed to come from an Instagram API leak in 2024. On January 7, a threat actor named “Solonik” posted the dataset on BreachForums, offering it for free. The post claimed to contain over 17 million Instagram user records in JSON and TXT formats, affecting users worldwide. Sample data shared online includes usernames, emails, phone numbers, user IDs, and profile metadata, which supports Malwarebytes' findings.
The leaked records appear to be structured like API responses, suggesting the data may have been collected through scraping, an exposed API endpoint, or a misconfigured system. The exact source of the leak is still unclear.
What Meta Said
Meta, Instagram's parent company, has not confirmed or reacted to the breach.
What To Do If You Receive Emails From Instagram
Following the leak, many users have reported receiving unexpected Instagram password reset emails. Malwarebytes noted that some of these may be legitimate, while others could be part of ongoing abuse by malicious actors.
There is no evidence that Instagram passwords were leaked, but the exposed contact details are enough to carry out phishing scams, SIM swapping, and account recovery abuse.
Malwarebytes said the data is available for sale on the dark web and can be abused by cybercriminals.
Users are advised to change their Instagram passwords, enable two-factor authentication (2FA) using an authenticator app, and be cautious of suspicious messages. Malwarebytes is also offering a free Digital Footprint scan to help users check if their email addresses appear in the leaked data.
If you are receiving password reset emails you did not request, it may be a sign that someone is trying to access your account.
Track Latest News Live on NDTV.com and get news updates from India and around the world
