Personal information of 17.5 million people leaked from Instagram onto the dark web

Instagram has reportedly leaked usernames, real names, addresses, phone numbers, and email addresses of approximately 17.5 million users.

Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more.

This data is available for sale on the dark web and can be abused by cybercriminals.

[image or embed]

— Malwarebytes ( @malwarebytes.com ) January 10, 2026, 1:34 AM

An Instagram data breach reportedly exposed the personal info of 17.5 million users
https://www.engadget.com/cybersecurity/an-instagram-data-breach-reportedly-exposed-the-personal-info-of-175-million-users-192105616.html

Instagram Breach 2026: 17.5 Million Accounts Exposed | The CyberSec Guru
https://thecybersecguru.com/news/instagram-data-breach-17-million/

According to Malwarebytes Labs, the research division of security company Malwarebytes , information from 17.5 million Instagram accounts has been stolen and is being sold on the dark web.

Malwarebytes Labs discovered the information for sale while scanning the dark web, and has already reported that many users have received emails sent when attempting to reset their passwords.

Data leaks from Instagram have occurred in 2019 and 2021, but the information leaked in the past was limited to email addresses and links in the profile section, and although there were problems, the severity was not very high. However, this time, it is believed that Instagram user IDs and location data were linked to the leak, and security experts are assessing the risk level as high.

It has also been pointed out that the leak of addresses could lead to real-world harm by combining usernames and addresses.

Malwarebytes Labs warned that the leaked information could lead to further attacks, such as phishing and account takeovers, and urged users to check their accounts in the Meta Account Center to see if any suspicious devices are logged into Instagram.

The CyberSec Guru, a security information site, says it's too late to wait for an official statement from Meta, and urges people to assume their information has been leaked and take the following four steps:

1: Change your password via the Instagram app's Account Center
Phishing scams are being launched to target panicked users by disguising emails asking for password resets, so instead of clicking on links in emails, change your password via the Account Center within the Instagram app.

2: Check recent emails sent by Instagram
Instagram keeps a log of recent emails sent to you in the 'Password & Security' section of your Account Center. If you see a password reset email in the 'Security' tab, it means someone actually tried to change your password but was blocked. If not, delete any emails you receive requesting a password reset, as they are phishing scams.

3: Use app-based two-factor authentication
Since phone numbers have also been leaked, SMS-based two-factor authentication is no longer secure. Please use apps such as Google Authenticator or Duo for two-factor authentication via the 'Password and Security' app.

4. Remove third-party app permissions
Because this data breach may have come from a third-party analytics or follower tracking app with legitimate access to API data, please remove any apps you don't remember granting permission to or no longer use from 'Apps and Websites' under 'Website Permissions.'

・Continued
Instagram denies data breach after reports of 17.5 million users' personal information leak - GIGAZINE