A massive data exposure has reportedly impacted 17.5 million Instagram accounts. Learn about the risks, Meta’s response, and how to secure your profile today.
Security researchers recently discovered a massive Instagram data leak affecting about 17.5 million users. Malicious actors obtained personal data from these accounts, including names, email addresses and phone numbers. The exposed information reportedly also contains partial physical addresses and profile IDs.
A dataset containing the sensitive information of 17.5 million Instagram accounts was found circulating on dark web forums. In response, Instagram’s parent company Meta denied any new breach of its systems, stating that it had fixed a bug that allowed outsiders to trigger password-reset emails and urging users to ignore those messages.
What Data Was Exposed
Leaked records include a trove of personal details. Attackers have obtained Instagram usernames, real names, emails, and phone numbers for millions of accounts. For example, one analysis found roughly 17,017,213 profile IDs were leaked, along with 6.2 million email addresses and 3.5 million phone numbers.
A smaller portion of entries also contains physical addresses (about 1.3 million). This kind of data can fuel phishing and social engineering: threat actors could impersonate contacts or trick victims via SMS, email, or targeted scams. In fact, experts warn these details enable attackers to exploit Instagram’s password-reset system to hijack accounts, as many users reported a flood of unexpected password-reset emails after the leak was revealed.
- Usernames & Names: Public handles and real names from millions of profiles.
- Contact Info: Email addresses and phone numbers tied to accounts.
- Addresses: Office or home addresses for business/creator accounts (approx. 1.3M records).
- Metadata: Unique Instagram IDs and profile details that hint at account activity.
How the Leak Happened
This seems to be a data scraping incident rather than an attack on the server of the Instagram platform itself. Researches have found the data to originate from a data breach forum, where a user with the handle “Solonik” had already circulated the data in early January of the year 2026. Meta claims that the data, however, was not taken through a hacking, but rather through publicly accessible data fields, perhaps scraped in the year 2024 itself.
To give a better understanding of what’s happening, Instagram has suffered scrapes in the past, particularly when a bug in their API leaked the details of approximately 6 million user profiles in 2017. It’s likely that this data may be a mix of old data that has leaked in the past and new scrapes of information. In any case, this occurred when a flood of fake password reset emails from “security@mail.instagram.com” began hitting the email addresses in this leaked set, sent out in bulk by cybercriminals.
In other words, with the info exposed, the hackers have enough info on their part to launch an attack on you. For instance, if a password reset notice has been delivered to your account despite not having requested it, it simply means a hacker has utilized your exposed email or phone number for this purpose. In other cases, the hackers are simply ‘knocking on the door.’ If there seem to be no fishy logins in your log file, the account appears to be safe.
Response and Security on Instagram
Meta was quick in reacting to the issue. According to Instagram's officials, a vulnerability was found and fixed that had enabled an attacker to send password reset emails without the knowledge of the user. Instagram clarified that there had been no breach of security and that all accounts are now secure. As a precautionary measure, users are asked to secure their accounts. Experts have suggested the following measures:
- Enable Two-Factor Authentication (2FA): Enable 2FA with an authenticator app rather than SMS for preventing unauthorized login access.
- Set Strong & Uncommon Passwords: Establish strong passwords that are different from others. Change your passwords in case you notice any kind of breach.
- Confirm Official Emails: Check Instagram's "Emails from Instagram" in-app log to ensure whether an email for resetting the password is genuine. Never click on links from unexpected emails.
- Keep an eye on connected apps: Remove any third-party apps that you don’t know or understand. Sometimes, web scraping occurs when an API has been hacked.
Fortunately, by following these steps, you will be less vulnerable to account takeover. Two-factor authentication will prove particularly useful, as attackers will not be able to access your account, even if they manage to obtain your password and phone number.
Moreover, if you are using Google, Google’s Password Checkup will allow you to check if your password is included in the database of compromised passwords. Although no new Instagram leak was confirmed, users whose passwords were in the database should be vigilant nonetheless.
