A staggering 17.5 million Instagram accounts have been compromised, with sensitive data like emails, phone numbers, and addresses now freely circulating on dark web forums. Cybersecurity firm Malwarebytes first flagged the breach, linked to a hacker named “Solonik” who posted the info on BreachForums on January 7, 2026. Meta remains silent, leaving users vulnerable to phishing, identity theft, and account takeovers amid rising cyber threats.
Final Call: FCRF Opens Last Registration Window for GRC and DPO Certifications
Breach Discovery and Data Exposed
Malwarebytes uncovered the leak during routine dark web scans, revealing structured JSON and TXT files from a possible 2024 Instagram API endpoint exposure. The dataset includes critical personal details for 17.5 million users:
- Usernames and full names
- Email addresses
- International phone numbers
- Partial physical addresses
- User IDs and contact information
Shared for free, this trove empowers cybercriminals to launch targeted attacks, with early signs of password reset spam already hitting victims.
How the Hackers Struck
The breach likely originated from an Instagram API vulnerability or third-party service flaw, harvested in 2024 and dumped publicly this week. “Solonik” boasted the data’s freshness on forums, fueling a wave of exploitation. This fits a pattern of API abuse seen in prior Meta incidents, where lax endpoint security exposed millions.
Risks to Instagram Users Now
Exposed data amplifies dangers in today’s threat landscape:
- Phishing Onslaughts: Fake Instagram/Meta emails or SMS tricking logins.
- Account Hijacking: Impersonation using real details for social engineering.
- Credential Reuse Attacks: Passwords stolen if duplicated elsewhere.
- Identity Theft: Addresses enable physical scams or doxxing.
Users report suspicious activity, underscoring the urgency as hackers weaponize this intel rapidly.
Meta’s Silence Sparks Outrage
Meta has issued no statement, update, or mitigation guidance despite outreach from experts. No breach notifications sent, no security patches announced—leaving 17.5 million in limbo. Critics slam the response as negligent, especially post-2024 API warnings, eroding trust in platform safeguards.
Immediate Protection Steps
Act now to shield your account:
- Enable two-factor authentication (2FA) via app or SMS.
- Update Instagram password; use a unique, strong one.
- Scrutinize login activity and log out unknown sessions.
- Revoke third-party app access in settings.
- Monitor emails/texts for phishing; never click suspicious links.
- Run antivirus scans and consider a password manager.
Proactive steps blunt the breach’s edge, even without Meta’s help.
About the author – Rehan Khan is a law student and legal journalist with a keen interest in cybercrime, digital fraud, and emerging technology laws. He writes on the intersection of law, cybersecurity, and online safety, focusing on developments that impact individuals and institutions in India.
