...
...
Next Story

Over 17.5 million Instagram users' personal data leaked on the dark web

The personal data of millions of Instagram users, including their email addresses and phone numbers, has been leaked on the dark web.

Published on: Jan 12, 2026 10:27 AM IST

Millions of Instagram users may face online risks after a large set of personal data linked to the platform surfaced on hacker forums and dark websites, according to a report by cybersecurity firm Malwarebytes. The firm said it discovered data related to about 17.5 million Instagram accounts during routine monitoring of underground platforms. Now that the information is in circulation and on sale, concerns about misuse have been raised.

The personal data of 17.5 million Instagram users has been leaked and is now on sale on the dark web. (UnSplash)
The personal data of 17.5 million Instagram users has been leaked and is now on sale on the dark web. (UnSplash)

Ijaj Khan is a technology journalist and Senior Content Producer at Hindustan Times, with over three years of experience covering the consumer technology industry. His work spans smartphones, laptops, wearables, gaming, appliances and AI - from hands-on reviews, comparison and buying guides to breaking news and in-depth features that help readers cut through the noise and make informed decisions. Before joining HT Tech, he worked with Jagran New Media, where he sharpened his instincts for fast-paced digital reporting. He holds a Post Graduate Diploma in English Journalism and Mass Communication from the Indian Institute of Mass Communication (IIMC), Delhi. Whether he's testing the latest flagship smartphone, tracking a major AI announcement, or putting a gaming laptop through its paces, Ijaj approaches every story with the same goal - making technology feel relevant and easy to understand for everyday users, not just enthusiasts. When he's not in front of a screen for work, he's usually travelling to a new city, hunting for great food, or keeping tabs on what's next in tech before everyone else catches on.

Read moreRead less

Malwarebytes reported that the exposed records include usernames, full names, email addresses, phone numbers, partial physical addresses, and other contact details. While there is no indication that account passwords were part of the leak, the available data could still enable misuse.

Also read: CES 2026: 6 coolest tech highlights, from humanoid robots to PC keyboards

According to the firm, attackers can use such information to carry out impersonation attempts, phishing messages, and account recovery abuse. Cybercriminals may also trigger password reset requests to gain control of accounts by exploiting known recovery processes.

Source of the Leak

The leaked data is believed to be linked to an Instagram application programming interface incident that occurred in 2024. On January 7, a user operating under the name “Solonik” shared the dataset on BreachForums and offered it for free. The post claimed the files contained more than 17 million Instagram user records in JSON and TXT formats, covering users across regions.

Also read: Buying a room heater this winter? 5 Checks that matter more than price

Sample files posted online showed usernames, email addresses, phone numbers, user IDs, and profile details. Malwarebytes said this matched the data it observed. The structure of the records resembles automated system responses, suggesting the data may have been gathered through scraping, an exposed interface, or a system configuration issue. The exact method remains unconfirmed.

Response from Meta

Also read: Oppo Reno 15 Pro 5G Review: Premium ambitions with practical brilliance

What Users Should Know

After the data surfaced online, some Instagram users reported receiving password reset emails they did not request. Malwarebytes said some messages may be genuine, while others could be linked to attempts to misuse leaked contact details.

The firm stated that exposed emails and phone numbers are enough to support phishing efforts, SIM swap attempts, and account takeover efforts, even without passwords.

Users are advised to update their Instagram passwords, enable two-factor authentication using an authentication app, and avoid clicking on links from unexpected messages. Malwarebytes also suggested users check whether their email addresses appear in the leaked dataset through available scanning tools. Unrequested password reset emails may indicate an attempt to access an account.

 
SHARE THIS ARTICLE ON