A major Instagram data breach has exposed sensitive personal details of 17.5 million users, now circulating across dark web forums.
Quick Summary – TLDR:
- 17.5 million Instagram accounts compromised, exposing personal data like emails and phone numbers
- Data is now freely available on hacker forums, increasing risks of identity theft and phishing
- Origin of breach possibly linked to an Instagram API leak from 2024, posted by a hacker named “Solonik”
- Meta has not issued an official statement, leaving users in the dark about the full extent
What Happened?
A massive leak of Instagram user data has surfaced on dark web forums, with 17.5 million accounts reportedly affected. The leak, initially flagged by cybersecurity firm Malwarebytes, includes a dangerous mix of personally identifiable information. The breach appears to be part of a growing trend where cybercriminals exploit platform vulnerabilities to harvest user data for phishing and fraud schemes.
Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more. pic.twitter.com/LXvjjQ5VXL
— Malwarebytes (@Malwarebytes) January 9, 2026
How the Breach Was Discovered?
Malwarebytes discovered the leak during its regular dark web monitoring. The firm confirmed that a threat actor using the alias “Solonik” posted the data on BreachForums on January 7, 2026. The dataset contains structured JSON and TXT files, typical of API response formats, suggesting that the breach may be tied to an exposed Instagram API endpoint from 2024.
The data set includes:
- Usernames
- Full names
- Email addresses
- International phone numbers
- Partial physical addresses
- User IDs and other contact info
These records were shared for free on underground forums, making them accessible to a wide range of bad actors.
What This Means for Users?
With this much personal information exposed, users are now vulnerable to:
- Phishing campaigns using legitimate-looking emails or SMS pretending to be from Instagram or Meta.
- Impersonation attacks that can hijack accounts or trick users into sharing more personal info.
- Credential harvesting, especially if users reused their Instagram password on other platforms.
Some users have already reported receiving Instagram password reset notifications, an early sign that hackers are attempting to exploit the stolen data.
No Response Yet from Meta
Despite mounting concerns, Meta has not confirmed the breach nor addressed user safety measures. Cybersecurity experts have reached out to Meta, but the company has remained silent on social media and its official security pages.
This silence has left users without clarity about the source of the leak or what steps Meta is taking to mitigate risks. Experts believe the breach could stem from either a direct vulnerability in Instagram’s API or through a connected third-party service.
How to Protect Yourself?
Security specialists are advising all Instagram users to take the following actions immediately:
- Enable two-factor authentication (2FA) to secure your account from unauthorized logins.
- Change your Instagram password and avoid reusing it on other services.
- Stay alert for suspicious emails or texts asking you to verify credentials.
- Review your account’s login history and active sessions.
- Check and remove third-party apps connected to your Instagram profile.
Even if you haven’t received a breach notification, taking these precautions is strongly recommended.
SQ Magazine Takeaway
Honestly, this is a huge deal. If you’re on Instagram, your data might already be out there. What bothers me most is the silence from Meta. When 17.5 million people are potentially exposed, you’d expect the company to step up fast. Instead, users are left guessing while their info is traded on hacker forums. I’ve already changed my password and turned on 2FA, and if you haven’t, you should do it now. This is not just another breach but it’s your digital identity on the line.
