Millions of Instagram users may face online risks after a large set of personal data linked to the platform surfaced on hacker forums and dark websites, according to a report by cybersecurity firm Malwarebytes. The firm said it discovered data related to about 17.5 million Instagram accounts during routine monitoring of underground platforms. Now that the information is in circulation and on sale, concerns about misuse have been raised.
Malwarebytes reported that the exposed records include usernames, full names, email addresses, phone numbers, partial physical addresses, and other contact details. While there is no indication that account passwords were part of the leak, the available data could still enable misuse.
Also read: CES 2026: 6 coolest tech highlights, from humanoid robots to PC keyboards
According to the firm, attackers can use such information to carry out impersonation attempts, phishing messages, and account recovery abuse. Cybercriminals may also trigger password reset requests to gain control of accounts by exploiting known recovery processes.
Source of the Leak
The leaked data is believed to be linked to an Instagram application programming interface incident that occurred in 2024. On January 7, a user operating under the name “Solonik” shared the dataset on BreachForums and offered it for free. The post claimed the files contained more than 17 million Instagram user records in JSON and TXT formats, covering users across regions.
Also read: Buying a room heater this winter? 5 Checks that matter more than price
Sample files posted online showed usernames, email addresses, phone numbers, user IDs, and profile details. Malwarebytes said this matched the data it observed. The structure of the records resembles automated system responses, suggesting the data may have been gathered through scraping, an exposed interface, or a system configuration issue. The exact method remains unconfirmed.
Response from Meta
Meta, which owns Instagram, has not issued a public statement confirming or denying the breach.
Also read: Oppo Reno 15 Pro 5G Review: Premium ambitions with practical brilliance
What Users Should Know
After the data surfaced online, some Instagram users reported receiving password reset emails they did not request. Malwarebytes said some messages may be genuine, while others could be linked to attempts to misuse leaked contact details.
The firm stated that exposed emails and phone numbers are enough to support phishing efforts, SIM swap attempts, and account takeover efforts, even without passwords.
Users are advised to update their Instagram passwords, enable two-factor authentication using an authentication app, and avoid clicking on links from unexpected messages. Malwarebytes also suggested users check whether their email addresses appear in the leaked dataset through available scanning tools. Unrequested password reset emails may indicate an attempt to access an account.