Key Takeaways
1. A data breach has exposed personal information of 17.5 million Instagram users, discovered by Malwarebytes and linked to a hacker named “Solonik.”
2. The leaked data includes usernames, full names, email addresses, phone numbers, and user IDs, but not passwords.
3. Risks from the breach include impersonation attacks, phishing schemes, and potential account takeovers through Instagram’s password reset feature.
4. Meta, Instagram’s parent company, has not officially confirmed the breach or informed affected users.
5. Users are advised to be cautious of suspicious communications, activate two-factor authentication, update passwords, and avoid clicking unknown links.
A huge data breach has allegedly revealed personal information of 17.5 million Instagram users, sparking major concerns about privacy and security. This situation was first identified by Malwarebytes, which traced the leak to a hacker known as “Solonik.” As stated in the report, the data was shared on BreachForums on January 7, 2026, allowing other cybercriminals to access it.
Discovery and Investigation
In a message sent to users, Malwarebytes mentioned they found the leak during a standard dark web investigation. Their analysis uncovered extensive, organized JSON and TXT files believed to come from a possible Instagram API exposure from 2024. The size of the dataset is notable, consisting of records connected to 17.5 million users, indicating that this was not merely a small or isolated event.
Types of Exposed Data
The leaked information contains various kinds of sensitive personal data. This reportedly includes Instagram usernames, full names, email addresses, international phone numbers, partial physical addresses, user IDs, and other related contact information. Although passwords were not listed among the leaked data, the volume of personal details involved still poses a significant risk to the affected individuals.
Risks Associated with the Breach
Malwarebytes has cautioned that hackers are likely to exploit this data in several ways. The most prevalent dangers include impersonation attacks, targeted phishing schemes, and attempts to gather credentials. A particular worry is the possible misuse of Instagram’s password reset feature. With access to emails and phone numbers, attackers could initiate account takeovers by triggering password reset requests and deceiving users into giving away access.
As of now, Meta, the parent company of Instagram, has not officially acknowledged the breach. There has been no public announcement detailing how the data was leaked or if the impacted users will receive direct notifications.
User Precautions
Until further details emerge, users should remain vigilant. Exercise caution with suspicious emails or SMS that appear to be from Instagram or Meta, particularly those requesting you to reset your password or verify your account. These communications are often designed to seem legitimate but are actually phishing attempts.
To enhance safety, it is strongly advised to activate two-factor authentication (2FA) with an authenticator app or via SMS, update your Instagram password to something robust and unique, and refrain from clicking on unknown links.
Malwarebytes via X
Source:
Link