A newly reported data exposure may have affected as many as 17.5 million users of Instagram, raising renewed concerns about account security and the ongoing risks tied to large-scale social networks. According to cybersecurity researchers, the incident involves the possible release of user information that could include usernames, phone numbers, email addresses, and physical locations. While the full scope of the exposure has not been independently verified, the nature of the data being discussed is enough to warrant caution.
The warning was first amplified by Malwarebytes, which advised users to change their passwords and enable two-factor authentication as a precaution. The firm noted an increase in phishing activity targeting Instagram users, particularly emails claiming that a password reset has been requested. These messages are designed to look legitimate but often direct users to fake login pages intended to harvest credentials.
Screenshots shared by users on Reddit appear to support the claim that unrequested password reset emails are circulating. Malwarebytes also referenced posts on X where similar concerns were raised. While phishing campaigns are common even without confirmed breaches, their timing has drawn attention in light of the reported data exposure.
Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more. pic.twitter.com/LXvjjQ5VXL
— Malwarebytes (@Malwarebytes) January 9, 2026
Cybersecurity outlet CyberInsider suggested that the data may be linked to an Instagram API leak dating back to 2024. According to its reporting, a user operating under the alias “Solonik” published a dataset earlier this month on a forum known for sharing information from past breaches. The data was reportedly offered for free, a tactic sometimes used to build credibility or attention within underground communities. However, CyberInsider noted that a definitive connection between the older API issue and the newly shared dataset has not yet been established.
Technical analysis of the leaked material reportedly shows structured fields consistent with API responses, though this alone does not confirm the origin or timing of the leak. At this stage, there is no public explanation for why the data resurfaced or whether it reflects a new vulnerability.
Instagram’s parent company, Meta, has not confirmed the breach or commented on the claims. If validated, the incident would add to a history of data protection issues for the platform. In 2022, Instagram faced regulatory penalties in Europe related to multiple data breach disclosures, underscoring ongoing scrutiny around how user information is handled.
In the absence of official confirmation, users are being encouraged to take standard security precautions. Changing passwords, enabling two-factor authentication, and avoiding links in unsolicited emails remain effective ways to reduce risk. Even when breaches are unverified, phishing campaigns often rely on uncertainty and urgency, making user awareness a critical line of defense.
