A massive data exposure involving nearly 17.5 million Instagram accounts has surfaced online, significantly raising the risk of phishing and identity fraud, according to cybersecurity firm Malwarebytes.
The leaked database—now circulating freely across hacker forums and dark web marketplaces—contains sensitive user information such as usernames, full names, email addresses, phone numbers, partial physical addresses, and profile-related metadata.
What Was Exposed
Malwarebytes, which discovered the dataset during routine dark web surveillance, said the scale of the leak makes it particularly dangerous. While no passwords have been found in the exposed files, the available contact details are sufficient for cybercriminals to launch targeted attacks.
According to researchers, the leaked data can be misused for:
Phishing and impersonation scams
Fake Instagram password reset attempts
SIM-swapping fraud
Account recovery abuse and credential harvesting
Suspected Source of the Leak
The data is believed to originate from an Instagram API-related vulnerability dating back to 2024. On January 7, a threat actor using the alias “Solonik” allegedly posted the dataset on BreachForums, claiming it contained over 17 million user records.
Samples shared online show data formatted like API responses, indicating it may have been collected through:
Automated scraping
An exposed or misconfigured API endpoint
Improper access controls
The exact technical cause of the leak has not yet been confirmed.
Meta Yet to Respond
Meta, the parent company of Instagram, has not officially acknowledged or commented on the reported data exposure so far.
Rise in Suspicious Password Reset Emails
Following the leak, several Instagram users have reported receiving unexpected password reset emails. Malwarebytes cautioned that while some emails may be legitimate, others could be part of coordinated attack attempts exploiting the exposed contact information.
Although there is no indication that account passwords were compromised, attackers can still abuse Instagram’s account recovery mechanisms using leaked emails and phone numbers.
What Users Should Do Now
Cybersecurity experts recommend immediate preventive steps:
Change your Instagram password
Enable two-factor authentication (2FA) using an authenticator app
Avoid clicking links in unsolicited emails or messages
Monitor accounts for unusual activity
Malwarebytes has also made a free Digital Footprint Scan available to help users check whether their email addresses appear in the leaked dataset.
Experts warn that receiving unrequested password reset emails could be an early sign of an attempted account takeover and should not be ignored.
