Massive Instagram Data Leak Exposes Details of 17.5 Million Users, Malwarebytes Warns

Massive Instagram Data Leak Exposes Details of 17.5 Million Users, Malwarebytes Warns

A major data breach affecting nearly 17.5 million Instagram accounts has come to light, raising fresh concerns about user privacy and online security. Cybersecurity firm Malwarebytes revealed that sensitive user information from the platform is already circulating freely on hacker forums and across the dark web.

Malwarebytes said the exposed dataset was discovered during its routine monitoring of underground cybercrime networks. The leaked information reportedly includes Instagram usernames, full names, email addresses, phone numbers, partial physical addresses and other contact details, putting millions of users at risk of targeted cyberattacks.

In a post on social media, Malwarebytes confirmed that cybercriminals had obtained personal data linked to 17.5 million Instagram accounts, warning that the sheer scale of the leak makes it particularly dangerous.

High risk of phishing and impersonation

Security experts at Malwarebytes cautioned that the exposed data could easily be weaponised. Attackers may use the information to launch phishing campaigns, impersonation scams and credential-harvesting attempts. Of particular concern is the possibility of abusing Instagram’s password recovery process to try and take over accounts.

“The volume and depth of the data significantly increase the likelihood of abuse,” the firm noted, adding that bad actors often combine leaked contact details with social engineering tactics to deceive users.

Iran Protests Intensify; Nationwide Internet Shutdown Still in Place

Suspected source: Instagram API leak

The data is believed to have originated from an Instagram API vulnerability dating back to 2024. On January 7, a threat actor using the alias “Solonik” reportedly shared the dataset on BreachForums, offering it for free. The post claimed the leak contained more than 17 million user records in both JSON and TXT formats, impacting users globally.

Samples circulating online include usernames, email addresses, phone numbers, user IDs and profile metadata. According to Malwarebytes, the structure of the files resembles API responses, suggesting the information may have been collected through large-scale scraping, an exposed endpoint or a misconfigured system. The exact method used to obtain the data remains unclear.

Meta yet to respond

Meta, the parent company of Instagram, has so far not issued any public statement confirming or denying the breach.

Spike in password reset emails worries users

In the wake of the leak, many Instagram users have reported receiving unexpected password reset emails. Malwarebytes said some of these messages may be legitimate, but others could be linked to malicious attempts to access accounts.

While there is no indication that Instagram passwords themselves were compromised, the leaked contact information is sufficient for phishing scams, SIM-swapping attacks and abuse of account recovery features.

The cybersecurity firm also warned that the dataset is being traded on dark web marketplaces, making it easily accessible to cybercriminals.

What users should do now

Malwarebytes advises Instagram users to take immediate precautions. This includes changing account passwords, enabling two-factor authentication using an authenticator app, and staying alert to suspicious emails or messages claiming to be from Instagram.

Users who receive password reset emails they did not request should treat them as a red flag that someone may be attempting to access their account.

To help users assess their exposure, Malwarebytes is offering a free Digital Footprint scan that allows individuals to check whether their email addresses appear in the leaked dataset.

As investigations continue, cybersecurity experts stress that vigilance and strong account security remain the best defence against the fallout from large-scale data breaches.