A MASSIVE data breach has exposed the personal information of about 17.5 million Instagram users.
The breach has triggered a global surge in suspicious password reset attacks and put millions at risk of cybercrime.
The leak was first uncovered by cybersecurity researchers at Malwarebytes and later verified through listing circulating on dark web forums, where sensitive user data is being actively traded.
According to researchers, the compromised data reset appeared earlier this week on a notorious hacking forum, posted by a threat actor using the alias “Solonik.”
The listing, titled “INSTAGRAM.COM 17M GLOBAL USERS — 2024 API LEAK,” claims to contain 17.5 million Instagram user records available in both JSON and TXT formats.
The hacker alleges the data was harvested in late 2024 through an “API Leak,” allowing them to bypass standard security protections and scrape user profiles from across the globe.
Cyber security experts say the scale of the breach suggests serious failures in Instagram’s rate-limiting or privacy safeguards, enabling millions of automated data requests to go undetected.
Unlike previous social media leaks that only exposed usernames, this dataset contains a deeply detailed profile of each victim.
The leaked information includes full names, usernames, verified email addresses, phone numbers, user IDs, country information, and partial location data.
Screenshots shared on hacking forums appear to confirm the authenticity of the data, showing neatly structured records that allow criminals to build comprehensive profiles of potential targets.
Experts warn the breach has already moved from a passive data leak to active exploitation.
In the hours following the data dump, Instagram users across multiple countries reported a sharp spike in unsolicited password reset emails landing in their inboxes.
While the leaked database does not appear to contain account passwords, cybersecurity specialists warn that the exposed emails and phone numbers are more than enough to fuel serious attacks.
Criminals can use the information to carry out SIM-swapping attacks, impersonate Instagram support staff, or launch highly targeted phishing campaigns.
By using personal details pulled from the leak, scammers can establish trust and trick victims into handing over login credentials or two-factor authentication codes.
The incident has been classified as “scraping,” meaning data was harvested through public-facing interfaces rather than a direct breach of Instagram’s core servers.
However, experts stress that the sheer volume of data points to a significant “API Leak” that should never have been possible at this scale.
As of January 10, 2026, Meta has not issued a formal statement addressing the specific 17.5 million-record data dump.
Cybersecurity experts are urging Instagram users to take immediate action to secure their accounts.
They recommend enabling multi-factor authentication using an authenticator app rather than SMS, which is more vulnerable to SIM-swapping attacks.
Users are also being warned to ignore any unprompted password reset emails and to avoid clicking links unless they personally initiated the request.
Instagram users worldwide are now reporting unexpected password reset notifications, with experts warning that panic-clicking is exactly what hackers are counting on.
Davey Winder, a senior contributor to Forbes and a veteran cybersecurity writer, hacker, and analyst, said he was among those targeted.
He revealed that he received a legitimate-looking email on Friday that appeared to be from Instagram, claiming a password reset had been requested for his account.
The email included a large blue Reset Password button alongside the message, “If you ignore this message, your password will not be changed. If you didn’t request a password reset, let us know.”
According to Forbes, hackers are relying on users to panic and click the button or the “let us know” hyperlink without thinking.
Experts say that even if a user clicks the link, attackers would still need additional information to successfully take over an account.
Instagram has stressed that receiving a password reset email does not automatically mean an account has been breached.
The company says such emails can be triggered by simple user error, such as someone mistyping an email address when trying to log in.
According to Instagram’s Help Center, legitimate emails are only sent from addresses ending in @mail.instagram.com, and messages from other domains may be phishing attempts.
However, Forbes reports that the timing of the password reset surge closely matches the appearance of the 17.5 million-user database on BreachForums.
The alleged breach database was published just hours before users began reporting the wave of password reset notifications.
The Independent has contacted Meta representatives for comment.
To protect accounts, Instagram strongly recommends enabling two-factor authentication, which requires a security code when logging in from an unrecognized device.
The platform automatically enables 2FA for creator accounts, but all users are urged to check that the feature has not been turned off.
Instagram also offers a recovery process for users who believe their accounts have been compromised.
Full instructions for checking and managing two-factor authentication are available in the company’s Help Center.
If users are locked out of their accounts, Instagram advises visiting instagram.com/hacked to begin the recovery process.
Security experts also warn users to secure their email accounts with unique passwords that are different from their social media logins.
This prevents hackers from gaining access to multiple platforms if one account is compromised.
With more than two billion monthly active users, Instagram has become a prime target for cybercriminals worldwide.
Hackers can launch account takeover attacks using methods ranging from malicious browser extensions to sophisticated phishing schemes.
Experts warn that large-scale data leaks like this make such attacks far easier by handing criminals a ready-made list of targets.
“If you get this message from Instagram and were not expecting it, you have found yourself in the crosshairs of an ongoing account attack,” Winder warned.
He added that he had personally received a dozen password reset emails in just 48 hours.
Winder said it now appears “likely that the surge in password reset attack attempts… is related to a breaking story about a leak of 17.5 million Instagram user accounts by a threat actor on BreachForums.”
The good news, experts say, is that these attacks are unlikely to succeed if users have one critical safeguard in place.
“Two-factor authentication will help you protect your account so no one has access to it,” Instagram confirms, requiring a code in addition to the password “if there’s a login attempt from a device that we don’t recognise.”
Instagram also noted, “To provide the highest security possible, we turned on two-factor authentication for creator accounts by default.”
The company urged users to “check to make sure that you didn’t turn it off!”
Cybersecurity specialists warn that users should stay vigilant, think twice before clicking any unexpected emails, and take immediate steps to secure their accounts as the fallout from the leak continues to unfold.
What is a password reset attack?
A password reset attack is when hackers try to break into an account by abusing the “forgot password” feature or tricking users into handing over access.
Instead of guessing passwords, criminals rely on panic, deception or security loopholes.
How it works:
• Hackers trigger password reset emails to flood a victim’s inbox.
• Fake emails or messages may impersonate Instagram or tech support.
• Victims are pressured into clicking links or sharing security codes.
• Once a reset link or code is captured, attackers can lock users out and take control.
Why it’s dangerous:
• It doesn’t require stealing passwords first.
• Attackers can use leaked emails and phone numbers to appear legitimate.
• Repeated reset requests can overwhelm users and hide scam messages.
How to stay safe:
• Ignore password reset emails you didn’t request.
• Never click links unless you started the reset yourself.
• Turn on two-factor authentication using an authenticator app. • Always check the sender’s email address and website URL carefully.
