The Instagram data of more than 17.5 million users was exposed this week — triggering a barrage of ‘password reset attacks’. The attacks began on Friday night and multiple reports indicate the data is now circulating on dark web forums.
The incident was first flagged by cybersecurity researchers at Malwarebytes — who reportedly found the data during routine dark web monitoring efforts. It included usernames, full names, email addresses and phone numbers as well as various contact details including partial physical addresses. The group also warned that the scale of exposed data would significantly increase the risk of abuse.
“Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more,” the Malwarebytes social media handle explained.
What is the danger posed by the breach?
Attackers can exploit the leaked data for use in impersonation attacks, phishing campaigns, and credential harvesting attempts. It can also be used in tandem with the password reset mechanism on Instagram to gain access to user accounts.
According to a Forbes report, the US Federal Bureau of Investigation had also issued a critical warning against password resetting in 2025. It flagged ‘Scattered Spider’ threat actors who had reportedly posed as company employees “to convince IT or helpdesk staff to provide sensitive information, reset the employee’s password and transfer their multifactor authentication setup to a device they control”.
Where did the data come from?
According to reports, the data may have been sourced from an Instagram API leak in 2024. A threat actor named “Solonik” had reportedly posted the dataset on BreachForums for free on January 7. The post in question claimed to include over 17 million Instagram user records from across the world in JSON and TXT formats. Sample data shared online included usernames, emails, phone numbers, user IDs, and profile metadata. The data is reportedly structured like API responses — suggesting it may have been collected via scraping methods. It remains unclear where the leak originated.
