Instagram Data Breach (2026)

Instagram Data Breach (2026) is a major security incident resulting from the unauthorized collection of personal data from approximately 17.5 million users worldwide in late 2024, followed by the public release of this data on the dark web in early 2026. The breach began when cybercriminals exploited a vulnerability in Instagram’s Instagram API system, bypassing standard security measures to automatically harvest user profile information and store it systematically.

Discovery of the Breach

The breach was made public in January 2026 by the cybersecurity firm Malwarebytes. The source of the leak was a security flaw in Instagram’s API system that emerged in late 2024, enabling attackers to bypass standard protections and collect user data globally through automated data scraping.

The collected dataset was published in early 2026 on the BreachForums platform under the title “INSTAGRAM.COM 17M GLOBAL USERS — 2024 API LEAK” by an attacker using the alias “Solonnik.” The post claimed to contain records for approximately 17.5 million users. The free availability of this data on the dark web accelerated its spread and quickly turned it into an active threat.

Attack Method and Technical Background

The Instagram data breach was not the result of a direct server compromise but rather an automated data collection technique known as “scraping,” conducted through publicly accessible application programming interfaces (APIs). Beginning in late 2024, attackers exploited weaknesses in Meta’s standard security controls to大规模 scrape user data. These bulk API queries remained undetected for an extended period due to gaps in Instagram’s rate limiting and privacy protections. The incident is classified as an automated data harvesting operation exploiting open interfaces rather than a direct system intrusion.

Scope of the Leaked Data

The leaked dataset contains various personal and contact details of approximately 17.5 million Instagram users. The published data includes usernames, full names, verified email addresses, phone numbers, user ID numbers, countries of origin, and partial location data.

The data was released in structured JSON and TXT formats, with sample screenshots verified by cybersecurity researchers as authentic. Although the leak did not include password information, the exposed personal details are susceptible to misuse for identity theft, social engineering, and fraud.

Risks to Users

Although the leaked data did not include passwords, the exposure of usernames, email addresses, phone numbers, and location information has created serious security risks. These details can be exploited by fraudsters using methods such as phishing, social engineering, and SIM swapping.

Following the incident, many users reported a surge in unexpected password reset emails from Instagram. Attackers have been observed using the leaked data to build trust by impersonating Instagram support staff in an attempt to steal two-factor authentication (2FA) codes or login credentials. The risks extend beyond individual users to include public accounts and influencer profiles.

Meta’s Response

As of January 11, 2026, Meta issued a public statement regarding the Instagram data breach allegations, asserting that no system breach had occurred. The company explained that the surge in password reset emails experienced by some users was caused by a technical issue that allowed external parties to request such emails.^【1】 

Meta emphasized that user account security was not compromised and advised users to ignore the emails, apologizing for the confusion caused. However, this response was questioned by some users and security experts, who criticized the underlying issue — the ability of external actors to trigger password reset requests — as itself a security vulnerability.

Security Experts’ Warnings

Following the breach, security experts have urged Instagram users to remain vigilant. Experts have highlighted the vulnerability of SMS-based authentication to SIM swapping attacks and recommend enabling multi-factor authentication (MFA) through an authenticator app instead. They also stress the importance of ensuring that the email addresses and phone numbers linked to Instagram accounts are current and secure, as these are critical for the proper functioning of account recovery processes in case of unauthorized access.