On January 7, 2026, the cybersecurity world was shaken by the revelation of a massive data breach affecting Instagram, one of the globe’s most popular social media platforms. According to Malwarebytes, a respected cybersecurity firm, sensitive data from roughly 17.5 million Instagram accounts has been leaked and is now circulating freely on hacker forums and dark web marketplaces. The scale and depth of this breach have left millions of users worldwide vulnerable to a range of cyber threats, from phishing to identity theft.
The incident first came to light when Malwarebytes, during its routine dark web monitoring, discovered a post on BreachForums by a threat actor operating under the alias “Solonik.” The post, dated January 7, 2026, offered a dataset titled “INSTAGRAM.COM 17M GLOBAL USERS — 2024 API LEAK,” and claimed to contain over 17 million records in JSON and TXT formats. CyberInsider and other outlets soon confirmed the authenticity of the dataset, which included an alarming array of personally identifiable information.
The leaked data is particularly damaging because it goes far beyond simple usernames. According to Malwarebytes and corroborated by screenshots from dark web listings, the trove contains full names, verified email addresses, international phone numbers, user IDs, partial physical addresses, and other contact information. Some entries even include structured JSON fields that suggest the data was pulled directly from Instagram’s API responses, possibly through insecure endpoints or scraping techniques that bypassed rate-limiting and privacy controls in late 2024.
Malwarebytes warned in its January 10 alert that the exposure of such comprehensive contact details opens the door to sophisticated impersonation attacks, phishing campaigns, and credential harvesting. “Attackers are likely to exploit this information in impersonation attacks, phishing campaigns, and credential harvesting attempts, especially by leveraging Instagram’s password reset mechanism to gain access to user accounts,” the firm cautioned. The combination of email addresses and phone numbers, in particular, is a goldmine for cybercriminals aiming to conduct SIM swapping or social engineering attacks.
Worryingly, the breach is not a theoretical risk. Following the release of the data, numerous Instagram users began reporting a surge of unsolicited password reset notifications. While some of these may be legitimate—triggered by users concerned about their account security—others are likely the result of malicious actors attempting to hijack accounts using the leaked information. The timing and volume of these notifications, as reported by affected users and security researchers, point to active exploitation of the breach.
Meta, Instagram’s parent company, has so far remained silent on the incident. Despite repeated requests for comment from news outlets such as CyberInsider and Mathrubhumi, there has been no official acknowledgment or public statement from Meta regarding the breach as of January 10, 2026. The company’s security pages and social media channels have also been devoid of any reference to the leak, leaving users in the dark about the official response or remediation efforts.
The origins of the breach remain somewhat murky. While the structured nature of the leaked records suggests they were harvested from Instagram’s API—possibly through scraping or exploiting a misconfigured endpoint—there is still uncertainty about whether the vulnerability lay within Instagram’s own systems or a third-party integration. Some cybersecurity experts, including those cited by CSN and other outlets, have classified the incident as a “scraping” operation, rather than a direct intrusion into Instagram’s core servers. The seller “Subkek” claimed the data was “freshly scraped” in the final quarter of 2024, using public APIs and country-specific sources.
Regardless of the technical specifics, the consequences for affected users are clear and immediate. With email addresses, phone numbers, and partial physical addresses exposed, cybercriminals have all the tools they need to craft highly convincing phishing messages. These could appear to come from Instagram or Meta, urging users to reset passwords or verify their identities—tactics designed to trick victims into handing over sensitive credentials or two-factor authentication codes. Malwarebytes has already observed that some users are receiving legitimate-looking password reset notifications, which may be part of ongoing abuse by malicious actors.
In response to the breach, cybersecurity experts are urging all Instagram users to take proactive steps to secure their accounts, whether or not they believe they’ve been directly affected. The most critical recommendations include resetting Instagram passwords, enabling two-factor authentication (2FA) or multi-factor authentication (MFA)—preferably using an authenticator app rather than SMS—and being extremely cautious about unsolicited emails or messages claiming to be from Instagram support. According to Malwarebytes, “Users whose contact details were exposed may receive legitimate-looking emails or messages that prompt them to reset their passwords or verify their identities.”
Malwarebytes has also rolled out a free Digital Footprint scan via its online portal, allowing users to check whether their email addresses appear in the leaked dataset. For those who suspect their accounts may have been compromised, Instagram offers several recovery options. These include requesting a login link, verifying identity through a secure email or—if necessary—submitting a video selfie for accounts with photos. Users are advised to review their account settings, confirm their contact details, remove unfamiliar linked accounts, and revoke access for any suspicious third-party apps.
Despite the widespread alarm, there is currently no evidence that Instagram account passwords themselves were included in the leak. However, the exposed information is more than sufficient for attackers to attempt account takeovers by exploiting password reset or account recovery methods. As such, vigilance remains the order of the day.
The Instagram breach serves as a stark reminder of the persistent risks posed by API vulnerabilities and the importance of robust security practices, both for tech companies and users. While investigations into the precise cause of the leak continue, the incident underscores the need for transparency from major platforms like Meta in the wake of such significant security failures. For now, the best defense for Instagram users is swift action—change those passwords, enable 2FA, and keep a watchful eye on any suspicious activity. After all, in the wild world of the internet, it’s better to be safe than sorry.
