A massive data breach has exposed the personal information of approximately 17.5 million Instagram users, with sensitive details now actively circulating on dark web marketplaces. Cybersecurity firm Malwarebytes discovered the leak on January 9, 2026, during routine dark web monitoring when researchers found a post on BreachForums by a threat actor operating under the alias Solonik.
The compromised data includes usernames, verified email addresses, phone numbers, physical addresses, and partial location information. The threat actor, also known as Subkek, claims the information was harvested toward the end of 2024 using public-facing APIs and region-specific sources. The listing was titled Instagram 17M Global Users 2024 API Leak, with data formatted in JSON and TXT files available for purchase.
While passwords do not appear to be part of the plain-text dump, security experts warn that the combination of contact details and real-world location data creates what they describe as a gold mine for cybercriminals. The exposed information is sufficient for sophisticated phishing campaigns, identity theft, and social engineering attacks targeting millions of users worldwide.
Following the leak's appearance online, multiple Instagram users have reported receiving unsolicited but legitimate password reset notifications from the platform. Security researchers indicate this is evidence that bad actors are already utilizing the leaked usernames and emails to attempt account hijacking. The combination of emails and phone numbers also enables dangerous SIM-swapping attacks that can bypass two-factor authentication.
Meta, Instagram's parent company, issued a statement on January 11 clarifying the situation. The company stated that they fixed an issue that allowed an external party to request password reset emails for some users. Meta emphasized that no security breach of their systems occurred and that Instagram accounts remain secure, attributing the incident to data scraping rather than a direct hack.
Cybersecurity experts are urging all Instagram users to take immediate protective measures. Recommendations include enabling two-factor authentication using authenticator apps rather than SMS-based verification, which is more resistant to SIM-swapping attacks. Users should also change their passwords to unique complex combinations and monitor their accounts for any unauthorized login attempts.
Users concerned about whether their information was compromised can check the Have I Been Pwned website by entering their email address or phone number. Security professionals advise disregarding any unprompted password reset emails and reviewing all connected third-party apps and services linked to Instagram accounts. The incident highlights ongoing vulnerabilities in social media platforms and the importance of proactive security measures.
Comments