Key Takeaways
- A large dataset containing information from around 17.5 million Instagram accounts has resurfaced due to an old API vulnerability.
- Even though passwords are not included, exposed email addresses and phone numbers raise significant concerns regarding user security and privacy.
- Malwarebytes has reported an increase in phishing attempts linked to the leak, underscoring the ongoing risks for affected users.
What Happened
Once more, the cybersecurity landscape has been rocked by a significant data breach involving Instagram. An old flaw in the platform’s API, first exploited in 2024, has led to the resurfacing of sensitive data from approximately 17.5 million user accounts on the dark web marketplace BreachForums. According to reporting by Bitcoin.com, an unnamed individual using the alias “Solonik” listed a dataset titled *“INSTAGRAM.COM 17M GLOBAL USERS — 2024 API LEAK”* on January 7, 2026. This incident has reignited discussions about the potential vulnerabilities in social media APIs and raises urgent questions about user privacy and data protection.
Why It Matters
The re-emergence of this leaked data set is particularly troubling given the kind of information it contains. Included within the 17.5 million records are usernames, full names, verified email addresses, international phone numbers, user IDs, and partial physical addresses. The absence of hashed passwords reduces the risk of direct account takeovers; however, the exposure of emails and phone numbers significantly increases the likelihood of phishing and social-engineering attacks targeting users. This incident highlights the importance of reviewing and strengthening security protocols, especially for platforms handling sensitive user data. For additional context on the potential impact of data integrity breaches, check out our article on navigating cybersecurity challenges.
What’s Next / Market Impact
The implications of this breach are far-reaching. Malwarebytes has noted a spike in Instagram password reset emails received by many users, indicating that attackers may be testing methods for account takeovers using the leaked data. Although Instagram’s parent company Meta has issued a standard statement urging users to change their passwords and enable two-factor authentication, there has been no detailed public response about the scope of this latest leak. Users are advised to remain vigilant, particularly against phishing attempts involving fraudulent messages purporting to be from Instagram. To minimize risks, users should update their passwords, review access logs, and be cautious about sharing personally identifiable information, especially through unverified emails or links.
