Instagram Data Breach: Security Breach Exposes Personal Data of 17.5 Million Accounts; Users Receive ‘Password Reset’ Emails

Mumbai, January 11: A significant data breach has compromised the personal information of approximately 17.5 million Instagram users, according to reports from cybersecurity researchers on Saturday. The leak, which surfaced on a prominent hacking forum, has triggered a wave of unsolicited password reset emails and sparked fresh concerns regarding how the social media giant protects its massive user base.

The compromised dataset reportedly includes full names, usernames, phone numbers, and email addresses. While passwords do not appear to be part of the leak, security experts warn that the exposed information is being actively used to facilitate account takeover attempts and sophisticated phishing scams. Instagram Caps Hashtags at Five Per Post in New Policy Shift Amidst Head of Instagram, Mosseri's 'Myth' Claims.

Instagram Data Breach Exposes 17 Million Accounts Worldwide

Origin of the Instagram Data Leak

The breach was first identified by cybersecurity firm Malwarebytes, which detected the data circulating on the dark web under the handle “Solonik.” Analysts believe the information originates from a vulnerability in an Instagram Application Programming Interface (API) that allowed for large-scale data scraping. Instagram Down? Users Report Reels Not Loading, Posting Issues During Outage.

While the scraping reportedly occurred in late 2024, the full dataset was only made widely available on illicit marketplaces this week. This "recycled" data remains highly valuable to cybercriminals because many users maintain the same contact information over several years, allowing attackers to link digital identities to real-world individuals.

Surge in 'Password Reset' Scams

In the days following the leak, millions of users reported receiving legitimate-looking password reset notifications from Instagram. Security researchers explain that hackers are using the stolen email addresses to trigger these official messages from Meta’s servers.

This tactic, known as "notification fatigue," aims to confuse users into accidentally clicking malicious links or providing two-factor authentication (2FA) codes to attackers posing as support agents. By leveraging the platform’s own security system, scammers are able to bypass traditional spam filters, making the campaign particularly effective.

Regulatory Pressure and Meta’s Response

The breach comes at a difficult time for parent company Meta, which is already under intense scrutiny from global regulators. The European Commission and authorities in Spain recently launched investigations into the company's data-handling practices, specifically focusing on how it tracks user activity and manages privacy consent.

As of Sunday morning, Meta has not issued a formal public statement regarding the 17.5 million accounts. However, the company has recently pledged to overhaul its security infrastructure and has begun implementing more transparent privacy dashboards for users in the European Union to comply with the Digital Markets Act.

Steps for User Protection

Cybersecurity experts recommend that all Instagram users take immediate steps to secure their accounts, regardless of whether they have received a suspicious notification. Key recommendations include:

Enable 2FA: Use an authenticator app rather than SMS-based codes, which can be vulnerable to SIM-swapping attacks.

Verify Communications: Check the "Emails from Instagram" tab within the app’s security settings to confirm if a message is genuine.

Update Passwords: Change passwords to a unique, strong string of characters not used on any other website.

The incident serves as a reminder of the persistent risks associated with large-scale data collection and the long shelf-life of leaked personal information.

(The above story first appeared on LatestLY on Jan 11, 2026 07:46 AM IST. For more news and updates on politics, world, sports, entertainment and lifestyle, log on to our website latestly.com).