A staggering cybersecurity incident has come to light, with 17.5 million Instagram users’ personal information exposed in a data breach advertised on dark web marketplaces.
Cybersecurity firm Malwarebytes first alerted the public via X (formerly Twitter), confirming the leak’s severity as stolen data, including usernames, emails, phone numbers, and partial locations, circulates for sale.
Affected users have reported receiving genuine Instagram password reset notifications, signaling active exploitation attempts.
Screenshots from dark web listings, shared in this conversation, reveal a dataset titled “Instagram.com 1B Users – 2024 Leak,” though it contains 17.5 million records scraped worldwide in late 2024.
Seller “Subkek” claims the data was freshly collected over the prior three months using public APIs and country-specific sources, including usernames, full email addresses, phone numbers, and partial physical addresses.
Sample records displayed in the images confirm the details’ authenticity, with fields like “Usernames, Emails, Phones” explicitly listed alongside a November 2024 timestamp.
This scraping method bypasses traditional hacks, exploiting Instagram’s public profiles and APIs to amass contact data without direct system intrusion. The global reach heightens risks, as cybercriminals can target users across regions with tailored phishing or identity theft schemes.
Data Exposed in Detail
The compromised information forms a dangerous profile for each of the 17.5 million accounts:
| Field | Details Provided | Risk Level |
|---|---|---|
| Usernames | Unique Instagram handles | High instagram-breach1.jpg |
| Emails | Full email addresses | Critical instagram-breach2.jpg |
| Phone Numbers | Direct contact numbers | Critical |
| Locations | Partial addresses/countries | High instagram-breach1.jpg |
This combination enables sophisticated attacks, such as SIM swapping or credential stuffing, where leaked emails and phones facilitate account takeovers.
Beyond sales on platforms like BreachForums, the leak triggers immediate threats. Malwarebytes noted password reset emails hitting users, a tactic to seize control amid weak security practices. No evidence points to passwords being stolen, but paired with prior breaches, this data amplifies vulnerabilities.
Meta (Instagram’s parent) has issued no official statement as of January 10, 2026, leaving users in limbo. Cybersecurity experts speculate the scraping evaded detection due to its non-invasive nature, underscoring API security gaps.
User Protection Steps
Act swiftly to mitigate damage:
- Enable two-factor authentication (2FA) on Instagram immediately.
- Change passwords to strong, unique ones and check for breaches via Have I Been Pwned.
- Monitor emails and phones for suspicious activity; avoid clicking unsolicited links.
- Review app permissions and logins for anomalies.
Organizations should scan employee accounts, as exposed data could fuel corporate espionage. This breach reinforces the need for privacy-focused habits online, with experts calling for stricter API controls from Meta. Vigilance remains key in 2026’s threat landscape.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.