Instagram might have just fallen victim to a massive data breach impacting up to 17.5 million Instagram accounts. And even though the social media platform has billions of users (it crossed the 3 billion monthly active user mark according to Mark Zuckerberg in September 2025), there’s a good chance you’re among the users who could be affected.
Malwarebytes reports a massive Instagram data leak affecting millions
Malwarebytes, a cybersecurity firm, reported that the breach revealed sensitive data associated with affected accounts, including usernames, email addresses, phone numbers, physical addresses, and more. In an article on the cybersecurity outlet Cyberinsider, published on January 10, it was claimed that the stolen data was sourced through an Instagram API leak that occurred in 2024.
They explained that a hacker under the name Solonik published a dataset containing this information on BreachForums, an online forum where hackers and cybercriminals share, sell, and trade stolen data.
This allegedly occurred on January 7, 2026, and included over 17 million records in JSON and TXT formats. Many of the sample entries in the dataset showed raw data such as usernames, email addresses, international phone numbers, and user IDs, which corroborates Malwarebytes’ findings.
The way this breach seems to be playing out is that affected users are now reporting receiving fake password reset emails. Although the leaked information doesn’t appear to contain account passwords, this is an extremely common phishing tactic, where attackers use leaked data to make emails look legitimate and trick users into handing over their passwords.
The email includes a Reset Password button and a message: if you ignore this message, your password will not be changed. If you didn’t request a password reset, let us know.
Hackers are counting on users panicking and clicking that link, which could hand over control of their accounts.
What to do if your Instagram account is targeted
If you’ve received an email asking you to reset your Instagram account’s password, do not click it. Instead, head to your Instagram account in the app itself and reset your password manually through the official settings. You should also enable two-factor authentication to add an extra layer of security.
You can also verify if the email is official by heading to your Instagram profile, clicking the hamburger icon at the top-right corner, and tapping Accounts Center. Then, hit Password and Security under account settings, and tap Recent Emails. Here, Instagram will show you a list of emails it has actually sent. If the suspicious email you received isn’t listed, it’s a phishing attempt and should be ignored or deleted immediately.
At the time of writing, Meta has not confirmed the breach or provided any details about it. We’ve reached out to Meta for comment and will share any updates as soon as they’re available.
