A significant security breach has compromised approximately 17.5 million Instagram user accounts, exposing sensitive personal information that is now circulating on the dark web.
The incident reported earlier this week by cybersecurity firm Malwarebytes raised urgent concerns about user privacy and account security.
What Data Was Exposed
The breach encompasses a wide range of personal information that could put affected users at serious risk. Compromised data includes usernames, email addresses, phone numbers, and physical addresses.
This combination of information makes users particularly vulnerable to identity theft, phishing, and social engineering.
Malwarebytes has confirmed that the stolen database is actively being traded on dark web marketplaces, making it accessible to cybercriminals worldwide.
Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more. pic.twitter.com/LXvjjQ5VXL
— Malwarebytes (@Malwarebytes) January 9, 2026
The availability of this data has already led to real-world consequences, with multiple users reporting receiving legitimate Instagram password reset notifications, a clear indication that threat actors are attempting to hijack accounts using the leaked information.
Exposing email addresses and phone numbers linked to Instagram accounts creates opportunities for targeted phishing campaigns.
Instagram screenshots reveal a dark web listing for a massive 17.5 million Instagram user data leak from late 2024, featuring usernames, emails, phones, and partial locations scraped worldwide. This aligns with Malwarebytes’ recent alert about active exploitation, including password reset attempts on affected accounts.
Cybercriminals can use this information to craft convincing messages that appear to come from Instagram or Meta, potentially tricking users into revealing passwords or other sensitive credentials.
The seller, identified as “Subkek,” claims the data was freshly scraped in the last three months of 2024 via public APIs and country-specific sources. Exposed fields include usernames, full emails, phone numbers, and partial physical locations, with sample records visible in the listings.
Users who suspect their accounts may be affected should immediately enable two-factor authentication, change their passwords to unique and complex combinations, and remain vigilant for suspicious emails or messages claiming to be from Instagram.
Additionally, monitoring for unauthorized login attempts and reviewing connected apps and services is crucial during this period.
Instagram and its parent company, Meta, have not yet released an official statement regarding the scope of the breach or remediation efforts.
Cybersecurity experts continue to investigate how the data was obtained and whether the breach resulted from a vulnerability in Instagram’s systems or through a third-party service.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
