Tech

Malwarebytes Warns of Alleged Instagram Data Breach Affecting 17.5 Million Users

Thanawat "Tan" Chaiyaporn
Thanawat Chaiyaporn
Instagram Data Breach

SAN FRANCISCO – Cybersecurity company Malwarebytes says it has spotted a large dataset linked to around 17.5 million Instagram accounts. The files showed up during the firm’s dark web monitoring and are now being shared across underground forums and marketplaces, sometimes for free and sometimes for a fee.

Malwarebytes first drew attention to the issue in alerts sent to customers and posts shared online around 9 January 2026. Concern spread quickly as many users reported unexpected password reset emails from Instagram, with reports increasing worldwide earlier that week.

What the exposed data includes, and why it’s a problem

Based on Malwarebytes’ findings and reports from other security sources, the records contain more than just basic profile details. The dataset reportedly includes Instagram usernames, full names, email addresses, international phone numbers, partial physical addresses, user IDs, and other account metadata. It looks like the information came from structured API responses, rather than a simple list compiled from public pages.

The leak is being linked to a late-2024 “API leak”, where automated scraping is said to have gotten around rate limits and similar protections to collect profile data at scale. A user using the name “Solonik” posted the files in JSON and TXT formats on BreachForums on 7 January 2026, with a title claiming “INSTAGRAM.COM 17M GLOBAL USERS, 2024 API LEAK”. Samples shared publicly appear to show real usernames, emails, and phone numbers.

There are no passwords in the dump, which reduces the chance of direct logins using stolen credentials. Even so, the amount of contact data is still valuable to criminals. Malwarebytes warned that the information “is available for sale on the dark web and can be abused by cybercriminals” for impersonation, targeted phishing, and credential theft.

With names, locations, and phone numbers, attackers can write believable messages that look like Instagram support. Some may try SIM swapping, where a phone number is taken over to capture two-factor codes. Others may use social engineering to pressure users into sharing login details.

Password reset emails add to the panic

At the same time, large numbers of Instagram users started receiving password reset emails that looked legitimate, often from security@mail.instagram.com, from around 8 January 2026. Many people said they never asked for a reset, which triggered fears that accounts were being targeted.

Malwarebytes suggested these reset messages were connected to the exposed data, with attackers using the leaked emails to send automated “forgot password” requests in bulk. This can help criminals check which emails are tied to accounts, flood inboxes with noise, and set up later scams, such as sending fake reset links after users are on edge.

Screenshots and complaints spread quickly on forums and social media. Some users said they received multiple reset emails in a short time. What first looked like a system bug started to make more sense once the alleged 17.5 million record dump came to light.

Meta says there was no breach

Instagram and its parent company, Meta, rejected the idea of a system breach. In a post on X on 11 January 2026, Instagram said: “We fixed an issue that let an external party request password reset emails for some people. There was no breach of our systems and your Instagram accounts are secure. You can ignore those emails, sorry for any confusion.”

Meta has not published a detailed statement confirming the 17.5 million number or explaining where the dataset came from. Instead, the company described the reset email surge as abuse of a now-fixed flaw that allowed bulk reset requests, rather than a sign that Instagram’s internal systems were hacked.

The response is similar to how Meta has handled past scraping cases, including the 2021 exposure involving over 530 million users, which was linked to scraped public profile data rather than a direct hack. Some critics say this approach plays down repeated scraping risks, while others point out that there’s no clear sign that core systems were breached.

What can users do now?

Even if the full scale and origin of the dataset can’t be confirmed, and Meta disputes the “breach” label, the risk to users is real. Exposed contact details can raise the odds of phishing and identity fraud, especially for people who are well-known, run businesses, or are more exposed online.

Security experts, including Malwarebytes, recommend these steps:

  • Change your password in the Instagram app or on the official website, not through email links.
  • Turn on two-factor authentication (2FA) and use an authenticator app rather than SMS where possible.
  • Ignore unexpected password reset emails and check your account by logging in directly.
  • Check if your details have been exposed using tools like HaveIBeenPwned.com or Malwarebytes’ Digital Footprint scan.
  • Watch for phishing attempts that use personal details to sound convincing.

This also fits a wider pattern. Instagram and other major platforms have faced repeated issues linked to scraping, exposed datasets, and privacy controls, including other large Instagram datasets reported in late 2024.

What this means for trust in Instagram

With Instagram nearing 2.5 billion monthly users, incidents like this can shake confidence, even if they come from scraping rather than a classic breach. A public dump of 17.5 million records, whatever the source, shows how quickly personal data can spread once it hits underground channels.

The best approach is calm vigilance. The biggest harm often comes after the leak, when criminals start using the information. Strong passwords, app-based 2FA, and a sceptical eye on unexpected messages still go a long way.

Related News:

Windows 12: New Features and System Upgrade Requirements

How to Hide Followers and Following List on Instagram (Real Privacy Tips for 2026)

TAGGED:
Share This Article
Thanawat "Tan" Chaiyaporn
ByThanawat Chaiyaporn
Follow:
Thanawat "Tan" Chaiyaporn is a dynamic journalist specializing in artificial intelligence (AI), robotics, and their transformative impact on local industries. As the Technology Correspondent for the Chiang Rai Times, he delivers incisive coverage on how emerging technologies spotlight AI tech and innovations.
Previous Article Thailand eyes Disneyland Thailand Steps Up Efforts to Attract Disneyland to the Eastern Economic Corridor
Next Article Recover HACKED Instagram Account FAST Recover a Hacked Instagram Account Fast (Step-by-Step) and Secure It After

SOi Dog FOundation

Trending News

Manchester United vs Brighton
Brighton Stun Manchester United 2-1 in FA Cup Shock at Old Trafford
Sports
Deadly Speedboat Crash off Krabi
Deadly Speedboat Crash off Krabi Leaves One Tourist Dead and 22 Injured
Southern Thailand
Recover HACKED Instagram Account FAST
Recover a Hacked Instagram Account Fast (Step-by-Step) and Secure It After
Tech
Thailand eyes Disneyland
Thailand Steps Up Efforts to Attract Disneyland to the Eastern Economic Corridor
Business

Make Optimized Content in Minutes

rightblogger

Download Our App