Malwarebytes warns of Instagram data breach impacting 17.5 million users

A data breach affecting 17.5 million Instagram accounts has been confirmed by security firm Malwarebytes, which warns that the leaked data is already being shared freely on hacker forums.

According to an email alert sent to Malwarebytes users earlier today, the data was discovered during the firm's ongoing dark web monitoring operations. The leak includes a broad range of sensitive user data, including:

• Usernames
• Full names
• Email addresses
• Phone numbers
• Partial physical addresses
• Other contact details

Malwarebytes cautions that attackers are likely to exploit this information in impersonation attacks, phishing campaigns, and credential harvesting attempts, especially by leveraging Instagram's password reset mechanism to gain access to user accounts.

Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more. pic.twitter.com/LXvjjQ5VXL

— Malwarebytes (@Malwarebytes) January 9, 2026

The stolen data appears to originate from an Instagram API leak that occurred in 2024. A threat actor operating under the alias “Solonik” published the dataset on BreachForums on January 7, 2026, offering it for free. The post claims to contain over 17 million records in JSON and TXT formats, targeting instagram.com and allegedly affecting users worldwide. A large number of sample entries included in the post show raw data such as usernames, email addresses, international phone numbers, and user IDs, corroborating Malwarebytes' findings.

Meta, Instagram's parent company, has yet to confirm the breach. CyberInsider's requests for comment from Meta have so far gone unanswered, and there is currently no official statement or public acknowledgment of the incident on Meta's security pages or social media accounts.

While it is unclear whether the compromised data came from an exposed API endpoint, third-party integration vulnerability, or internal misconfiguration, the leak contains entries with structured JSON fields typical of API responses. Some entries include indicators of data collection from profile metadata, possibly scraped or accessed via insecure endpoints before 2025.

Users whose contact details were exposed may receive legitimate-looking emails or messages that prompt them to reset their passwords or verify their identities. Malwarebytes notes that some affected users are already receiving password reset notifications from Instagram, which may be legitimate or part of ongoing abuse by malicious actors.

To assess exposure, Malwarebytes offers a free Digital Footprint scan via its portal, which lets users check whether their email addresses appear in the leaked dataset. Meanwhile, it is recommended to reset Instagram passwords and enable two-factor authentication (2FA).