A massive dataset containing personal information for 17.5 million Instagram users has surfaced on a hacking forum, reportedly stemming from an API exposure. The leak includes usernames, email addresses, and phone numbers, creating significant risks for phishing and account takeovers.
A significant data security incident has reportedly compromised the personal information of approximately 17.5 million Instagram users. The dataset was discovered by cybersecurity firm Malwarebytes during a routine dark web scan and was subsequently posted on the hacking forum BreachForums on January 7, 2026. The data was shared by a threat actor using the alias "Solonik," making the files accessible to other cybercriminals.
The Source and Scope of the Breach
According to Malwarebytes' investigation, the leaked data is contained in large, well-structured JSON and TXT files. The structure of these files suggests they may have originated from a vulnerability or misconfiguration in the Instagram API. While the exact date of the data extraction is not confirmed, the content appears to reference information dating back to 2024. This indicates that the data may have been circulating privately for some time before being released publicly.
The sheer volume of the dataset—17.5 million unique records—points to a systemic issue rather than a targeted attack on specific individuals. This scale of exposure is particularly concerning because it provides a comprehensive pool of data for attackers to exploit.
What Information Was Exposed?
The leaked files contain a variety of sensitive personal data points. While login credentials like passwords were reportedly not included, the remaining information is sufficient to facilitate serious privacy violations. The exposed data includes:
- Instagram Usernames and Full Names: This allows attackers to identify specific individuals and link their Instagram profiles to their real-world identities.
- Email Addresses: A primary vector for phishing attacks and spam.
- International Phone Numbers: Enables targeted SMS-based phishing (smishing) and social engineering attacks.
- User IDs: Internal identifiers that can be used to map accounts.
- Partial Physical Addresses: This is a particularly sensitive piece of data that significantly increases the risk of identity theft and targeted harassment.
- Other Contact-Related Details: Additional metadata that can be used to build a detailed profile of a user.
The Risks: Beyond Simple Spam
The primary danger of this leak is not just the receipt of unwanted marketing emails. Security experts at Malwarebytes have outlined several specific threats that affected users now face:
- Targeted Phishing and Impersonation: Armed with real names, addresses, and phone numbers, attackers can craft highly convincing phishing emails or text messages. A message that references a user's actual location or full name is far more likely to be trusted than a generic scam.
- Account Takeover Attempts: The combination of email addresses and phone numbers creates a direct path for account hijacking. Attackers can use this information to trigger Instagram's official password reset function. By intercepting the reset link or tricking the user into providing the code, they can gain control of the account.
- Credential Stuffing: Although passwords were not leaked, users who reuse passwords across different services are at risk. Attackers can take the email addresses from this leak and attempt to use them to access accounts on other platforms like Facebook, Twitter, or banking services.
- Identity Theft: With a full name, phone number, email, and partial address, malicious actors have enough information to attempt to open fraudulent accounts or commit other forms of identity theft.
Meta's Response and User Safety Recommendations
At the time of the initial report, Meta, the parent company of Instagram, had not released an official statement confirming the breach or detailing the specific nature of the API exposure. There has been no public announcement regarding whether the company will directly notify the 17.5 million affected users.
Given the uncertainty and the severity of the potential risks, users should take immediate proactive steps to secure their accounts and personal information:
- Enable Two-Factor Authentication (2FA): If you haven't already, enable 2FA on your Instagram account immediately. While SMS-based 2FA is better than nothing, using an authenticator app (like Google Authenticator or Authy) is significantly more secure as it is not vulnerable to SIM-swapping attacks.
- Change Your Instagram Password: Update your password to a strong, unique combination of characters that you do not use for any other service. A password manager is highly recommended for generating and storing secure passwords.
- Be Extremely Wary of Unsolicited Communications: Treat any unexpected emails, texts, or direct messages claiming to be from Instagram or Meta with extreme suspicion. Do not click on any links contained within them. Specifically, be on the lookout for messages that pressure you to reset your password or verify your account details.
- Audit Your Connected Apps: Review the third-party apps and services that have access to your Instagram account and revoke access for any you no longer use or recognize.
This incident serves as a stark reminder of the persistent risks associated with large-scale data collection and the importance of robust API security. For users, it underscores the necessity of maintaining good digital hygiene and assuming that some of their personal data may already be in the hands of threat actors.
Comments
Please log in or register to join the discussion