Massive data leak reportedly exposes information of 17.5 million Instagram users

A massive data leak has reportedly exposed information belonging to 17.5 million Instagram users, raising serious privacy and security concerns. The incident was first flagged by Malwarebytes, which linked the leak to a hacker using the name “Solonik.” According to the report, the data was posted on BreachForums on January 7, 2026, making it accessible to other cybercriminals.

In an email sent to users, Malwarebytes claimed they discovered the leak during a routine dark web scan. Their investigation revealed large, well-structured JSON and TXT files that appear to originate from a possible Instagram API exposure dating back to 2024. The scale of the dataset is significant, with records tied to 17.5 million users, suggesting this was not a small or isolated incident.

The leaked data includes several types of sensitive personal information. This reportedly covers Instagram usernames and full names, email addresses, international phone numbers, partial physical addresses, user IDs, and other contact-related details. While passwords were not mentioned as part of the exposed data, the amount of personal information involved is still enough to pose a serious risk to affected users.

Malwarebytes has warned that attackers are likely to abuse this data in multiple ways. The most common risks include impersonation attacks, targeted phishing campaigns, and credential harvesting attempts. One specific concern raised is the potential misuse of Instagram’s password reset system. With access to emails and phone numbers, attackers could attempt account takeovers by triggering password reset requests and tricking users into handing over access.

At the time of writing, Meta, Instagram’s parent company, has not officially confirmed the breach. There has also been no public statement explaining how the data was exposed or whether affected users will be notified directly.

Until more information is available, users should stay alert. Be cautious of suspicious emails or SMS messages that claim to be from Instagram or Meta, especially those asking you to reset your password or verify your account. These messages are often designed to look official but are actually phishing attempts.

To stay safe, it is highly recommended to enable two-factor authentication (2FA) using an authenticator app or SMS, change your Instagram password to something strong and unique, and avoid clicking on unfamiliar links.