Malwarebytes flags alleged Instagram data dump affecting 17.5m users

A dataset claiming to contain details linked to about 17.5 million Instagram users has appeared on a cybercrime forum, according to an alert circulated by cybersecurity firm Malwarebytes.

Malwarebytes said the data is being offered on the dark web and could be abused for impersonation and phishing, with users also reporting legitimate Instagram password reset notifications being triggered at scale.

The dataset was posted on BreachForums on January 7, 2026 by a threat actor using the alias “Solonik”, under the title “INSTAGRAM.COM 17M GLOBAL USERS — 2024 API LEAK”, reports said.

Reports describing the dataset say it includes usernames and personal contact information such as names, email addresses and phone numbers, with some records containing partial address/location details.

While the dataset is described as highly sensitive, reports also note that passwords were not included—but the exposed contact details may still be used to target users via scams and account-takeover attempts.

Meta, Instagram’s parent company, has rejected claims of a systems breach. In a statement reported by multiple outlets, a Meta spokesperson said it had fixed an issue that allowed an external party to request password reset emails for some Instagram users, adding there was no breach of its systems and that accounts “remain secure”.