A massive dataset containing personal information from approximately 17 million Instagram accounts has surfaced on hacker forums, triggering widespread password reset emails and raising questions about the line between data “scraping” and security breaches.
On January 7, 2026, a threat actor using the alias “Solonik” posted a dataset titled “INSTAGRAM.COM 17M GLOBAL USERS — 2024 API LEAK” on BreachForums, a notorious underground hacking forum. The collection, formatted in JSON and TXT files, contains usernames, full names, email addresses (for roughly 6.2 million accounts), phone numbers, partial addresses, and geolocation data, but notably no passwords.
Cybersecurity firm Malwarebytes discovered the leak during routine dark web monitoring and alerted users on January 9. The firm warned that attackers were already exploiting the information for phishing campaigns and account takeover attempts, particularly by abusing Instagram’s password reset system.
Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more. pic.twitter.com/LXvjjQ5VXL
— Malwarebytes (@Malwarebytes) January 9, 2026
Instagram addressed the incident on January 11 via its official X (formerly Twitter) account: “We fixed an issue that let an external party request password reset emails for some people. There was no breach of our systems, and your Instagram accounts are secure. You can ignore those emails — sorry for any confusion.”
We fixed an issue that let an external party request password reset emails for some people. There was no breach of our systems and your Instagram accounts are secure.
You can ignore those emails — sorry for any confusion.
— Instagram (@instagram) January 11, 2026
Meta suggested the leaked data represents old scraped information resurfacing rather than a new intrusion.
The Scraping vs. Breach Debate
Security researchers remain divided on how to classify the incident. While Meta insists no systems were breached, Malwarebytes categorized it as a data breach, noting that sensitive personal information is circulating freely on dark web forums and actively being weaponized by cybercriminals.
The distinction matters less to affected users than the practical reality: their personal information is now accessible to bad actors, regardless of how it was obtained. Some cybersecurity experts suggest the data may originate from a 2022 API scraping incident, though this remains unconfirmed.
What Data Was Exposed
According to multiple reports analyzing the leaked dataset:
- Instagram usernames
- Full names
- Email addresses (approximately 6.2 million)
- International phone numbers
- Partial physical addresses
- Instagram user IDs
- Location data
Critically: No passwords were included in the leak.
What You Should Do Now
1. Check Your Exposure
Visit Have I Been Pwned and search using the email or phone number linked to your Instagram account.
2. Enable Two-Factor Authentication
- Open the Instagram app > Settings > Accounts Center > Password and Security > Two-Factor Authentication
- Choose an authenticator app (Google Authenticator, Authy) over SMS
- SMS-based 2FA is vulnerable to SIM-swapping attacks
3. Update Your Password
- Navigate to Settings > Accounts Center > Password and Security > Change Password
- Create a strong, unique password (12+ characters, mix of letters/numbers/symbols)
- Never reuse passwords across platforms. Use a password manager like Bitwarden or 1Password
4. Review Login Activity
- Settings > Accounts Center > Password and Security > Where you’re logged in
- Check for unfamiliar devices or locations
- Log out suspicious sessions immediately
5. Ignore Unsolicited Reset Emails
Delete password reset requests you didn’t initiate. Make any account changes directly through the Instagram app, never via email links.
6. Stay Alert for Phishing
The leaked contact information enables highly targeted scam attempts. Be suspicious of:
- Emails or DMs claiming to be from Instagram/Meta
- Requests for verification codes
- Messages referencing your personal details to appear legitimate
7. Consider Credit Monitoring
If partial addresses were exposed, consider placing a fraud alert with credit bureaus (Equifax, Experian, TransUnion).
Quick Fact to Consider
This isn’t Meta’s first data exposure. The company was fined €265 million in 2022 for a 2021 Facebook data leak affecting hundreds of millions of users. The incident highlights ongoing tensions between how platforms define “breaches” and how security researchers assess actual user risk.
Meta appears to distinguish between unauthorized system access and data harvesting through legitimate-but-abused features.
Security professionals focus on the outcome: exposed user information now circulating in criminal marketplaces.
Monday-Sunday: 5:00am - 8:00pm (PT)
Leave a Comment