ALERT: Instagram Breach Reportedly Exposes 17.5 Million Users
Just as we settle into the new year, a massive cybersecurity scare is shaking up social media. A new report from security firm Malwarebytes indicates that the personal information of approximately 17.5 million Instagram users has been exposed and is currently circulating on the dark web.
If you have received a random "Reset Your Password" email from Instagram in the last few days, you are likely not alone—and it might be connected to this breach.
The Discovery
On January 10, 2026, Malwarebytes confirmed via X (formerly Twitter) that they had discovered a massive dataset being traded on hacker forums. The leak was reportedly published by a threat actor known as "Solonik" on January 7, offering the data for free.
While the data appears to originate from an API leak that occurred in late 2024, its public release this week has made it a fresh and immediate threat.
What Was Leaked?
According to the report, the exposed database contains sensitive personal information that could leave users vulnerable to phishing and identity theft. The leak includes:
Usernames
Email addresses
Phone numbers
Real names
Partial physical addresses
User IDs
The Good News: Currently, there is no evidence that passwords were included in this specific dump. However, the combination of email, phone number, and physical location is more than enough for cybercriminals to launch sophisticated attacks.
The "Password Reset" Storm
This breach report coincides with a wave of user complaints about unsolicited password reset emails. Over the past 48 hours, thousands of users have reported waking up to dozens of legitimate emails from Instagram asking them to reset their credentials.
Meta's Response:
Meta (Instagram's parent company) has denied that their systems were breached. In a statement to the press, a spokesperson said:
"We fixed an issue that allowed an external party to request password reset emails for some Instagram users. We want to reassure everyone that there was no breach of our systems, and people's Instagram accounts remain secure."
Security experts argue that while Meta's internal systems might be safe, the mass password reset requests are likely being triggered by hackers using the leaked emails and usernames to test which accounts are active.
What You Should Do Now
Even if you haven't received a suspicious email, you should take immediate steps to lock down your account.
Do NOT Click the Links: If you receive a password reset email you didn't ask for, ignore it. Do not click any buttons inside the email.
Enable App-Based 2FA: SMS two-factor authentication is vulnerable to "SIM swapping" (especially since phone numbers were leaked). Switch to an authenticator app like Google Authenticator or Authy.
Go to Settings > Accounts Center > Password and Security > Two-factor authentication.
Check Your Digital Footprint: Malwarebytes and other security sites are likely to update their "Am I Pwned" tools soon. Keep an eye out to see if your specific email was part of the 17.5 million record set.
Stay safe out there. We will update this post if Meta releases further clarification.
