Malwarebytes has found evidence of a leak through an API vulnerability, warning users to be wary of fake password reset emails and urging them to immediately enable two-factor authentication.
Malwarebytes, a cybersecurity company, has warned of a data leak affecting over 17.5 million Instagram user accounts. The leaked data has already been freely distributed on underground forums, posing a risk of phishing attacks.
Malwarebytes stated that the leaked data is sensitive, including users' full names, addresses, emails, phone numbers, and other contact details.
The data is believed to originate from an Instagram API vulnerability that occurred in 2024. A hacker named Solonik posted large data files (in JSON and TXT formats) on the BreachForums website on 7 Jan 2026 GMT+7. Sample checks confirmed the data’s authenticity, containing User IDs and international phone numbers.
A major concern is that hackers may use the leaked emails and phone numbers to send deceptive messages pretending to be from Instagram./to trick users into clicking "reset password" or "verify identity" links. Some users have already reported receiving suspicious password reset emails.
So far, there has been no response from Meta, Instagram’s parent company. Meanwhile, users are advised to enable two-factor authentication to make account access more difficult.
Source:Malwarebytes