Instagram Data Breach Exposes Personal Information of 17.5 Million Users
A significant data breach has exposed the personal information of approximately 17.5 million Instagram users, with details including usernames, email addresses, phone numbers, and physical addresses now reportedly available for sale on the dark web. The breach, identified by Malwarebytes during routine dark web monitoring, has led to a surge in password reset emails sent to affected users and raised concerns about the potential for phishing, account takeovers, and more severe real-world threats such as stalking and extortion. Security researchers note that the leaked data appears to be more comprehensive than previous incidents, with attackers possibly correlating Instagram user IDs with external data sources to link online identities to real-world addresses.
The compromised database, described as a "doxxing kit," is being sold in batches on cybercrime forums, increasing the risk of targeted attacks against those affected. While Meta has not yet issued an official statement regarding the incident, security experts warn that the exposure of physical addresses alongside digital identifiers significantly elevates the privacy and safety risks for users. The breach underscores the importance of enabling two-factor authentication and monitoring for suspicious account activity, as the stolen data is actively circulating and may be used for a range of malicious purposes beyond typical credential abuse.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Have I Been Pwned adds the Instagram scraped dataset
Have I Been Pwned published an entry for the Instagram incident, describing a January 2026 forum post containing about 17 million rows of scraped public account data. HIBP said about 6.2 million records included email addresses, some included phone numbers, and there was no evidence that passwords were exposed.
Researchers conclude the alleged 2026 leak is recycled old data
Follow-up reporting and researcher analysis concluded there was no evidence of a new Instagram breach in January 2026. The dataset being marketed as a fresh API leak was assessed to be a repackaged compilation of previously scraped data, likely unrelated to the password reset email activity.
Meta says no breach occurred and fixes password reset abuse issue
Instagram's parent company Meta publicly denied that Instagram had suffered a breach and said accounts remained secure. It stated that it fixed an issue that allowed an external party to mass-trigger password reset emails for some users and advised recipients to ignore those messages.
Users report wave of unsolicited Instagram password reset emails
Around the same time the dataset claims spread, Instagram users in multiple countries reported receiving repeated password reset emails they did not request. The surge fueled fears of account compromise, although later reporting said the reset-email issue was separate from the recycled dataset.
Malwarebytes flags 17.5M-record Instagram dataset for sale
During routine dark web monitoring, Malwarebytes identified a large Instagram-related dataset being offered for sale on cybercrime forums and warned that it affected roughly 17 to 17.5 million accounts. The company said the data included usernames and various personal details such as email addresses, phone numbers, and physical addresses.
Instagram dataset reposted on BreachForums as a '2024 API LEAK'
On January 7, 2026, a BreachForums user reposted the old 17 million-record Instagram dataset under the title '2024 API LEAK,' rebranding it as a fresh breach. The same data also appeared on LeakBase around the same time, helping trigger renewed attention.
Scraped Instagram dataset was first publicly posted in June 2023
Hackread reported that the same 17,017,213-record dataset later discussed in January 2026 was first posted publicly in June 2023. The file was associated with an earlier BreachForums user and matched the records later recirculated as a supposed new leak.
Instagram data was originally scraped in 2022
Multiple reports and researchers assessed that the 17 million-record Instagram dataset was not newly stolen in 2026 but originated from scraping activity in 2022. The data appears to have been compiled from public Instagram information and, in some cases, enriched with additional contact details from other sources.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
Digging For Vulnerability Gold - PSW #909 | SC Media
scworld.com
Open sourceMeta Calls for Calm Amidst Instagram Password Reset Panic
techrepublic.com
Open sourceThere was no data breach, Instagram says
helpnetsecurity.com
Open sourceInstagram refutes widespread data leak claims
scworld.com
Open sourceInstagram denies breach amid claims of 17 million account data leak
bleepingcomputer.com
Open sourceInstagram’s “17 Million User Data Leak” Was Just Scraped Records from 2022
hackread.com
Open sourceAn Instagram data breach reportedly exposed the personal info of 17.5 million users
engadget.com
Open sourceA massive breach exposed data of 17.5M Instagram users
securityaffairs.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Instagram Password Reset Spam and Data Leak Claims
Instagram experienced a large-scale abuse of its password reset feature, resulting in a flood of password reset emails sent to users. The company confirmed that this activity was due to external parties exploiting the password reset mechanism using stolen email addresses, but emphasized that there was no breach of its internal systems. Instagram stated it has since fixed the issue and reassured users that their accounts remain secure, advising them to disregard the unsolicited password reset emails. Simultaneously, cybersecurity firm Malwarebytes and other researchers reported that data from approximately 17.5 million Instagram accounts—including usernames, email addresses, phone numbers, and physical addresses—was leaked and distributed on hacking forums. While some sources suggest the data may have originated from previous API scraping incidents, Instagram and its parent company Meta deny any recent breach or API vulnerability, and the exact source and timing of the leaked data remain unconfirmed. The incident highlights the risks of feature abuse and the ongoing challenges of protecting user data from large-scale scraping and credential-based attacks.
Mar 21, 2026
Massive Credential Exposure Reveals Billions of Stolen Login Records
Researchers and media reports disclosed enormous troves of exposed login data, including an unprotected 47.42 GB database containing **184,162,718** unique usernames and passwords tied to services such as Microsoft, Facebook, Google, Instagram, Snapchat, Discord, Netflix, PayPal, and government portals in 29 countries. Security researcher Jeremiah Fowler found the database on an unmanaged server with no password protection or encryption, and sample records included account types, website URLs, and plaintext passwords labeled `senha`. Fowler said multiple individuals confirmed the leaked credentials were genuine after he contacted them directly. The exposed records are believed to be linked to **infostealer malware** and broader malware-as-a-service collection operations, with subsequent reporting describing a far larger cache totaling **16 billion** credentials affecting major consumer platforms including Apple, Facebook, and Google. The disclosures raise immediate risks of credential stuffing, account takeover, phishing, fraud, and unauthorized access to corporate and government systems. Public access to the 184 million-record database was later restricted after responsible disclosure to the hosting provider, but the owner of the data remains unidentified.
May 25, 2026
Tumblr Breach Exposed More Than 65 Million Accounts
Tumblr suffered a major breach that exposed data from more than 65 million user accounts, according to breach tracking and reporting tied to the incident. The compromised records included email addresses and passwords, with the passwords stored as salted `SHA-1` hashes, indicating attackers obtained credential data that could still pose risk if reused elsewhere. Subsequent analysis and reporting said the stolen database was later circulated and offered for sale on a dark market site, turning the intrusion into a broader credential exposure event. The scale of the breach placed Tumblr among the larger consumer platform compromises, and the publication of the dataset increased the likelihood of credential stuffing and account takeover attempts against affected users.
Jun 8, 2026