Instagram — Data Breach
Executive Summary
A database containing 17.5 million Instagram user records appeared for sale on a dark web forum, including usernames, email addresses, phone numbers, and hashed passwords. Concurrently, a password reset vulnerability was discovered that allowed attackers to enumerate valid accounts. Meta patched the vulnerability and initiated forced password resets for affected accounts.
What Happened
On January 11, 2026, a dataset containing 17,017,213 Instagram account records was released for free on hacking forums, including usernames, email addresses, phone numbers, physical addresses, and Instagram IDs. Meta confirmed it fixed a bug that allowed external parties to mass-request password reset emails for some Instagram users, but stated there was no breach of their systems. The origin of the leaked data remains unconfirmed, with some researchers claiming it comes from older API scraping incidents dating back to 2017 or 2022, though Meta denies awareness of API compromises in 2022 or 2024.
Who Is Affected
Approximately 17 million Instagram users are affected by the data leak, with varying amounts of personal information exposed per account. The leaked dataset includes over 16.5 million unique usernames, 6.2 million email addresses, 3.5 million phone numbers, 12.4 million names, and over 1.3 million physical addresses. Meta initiated forced password resets for accounts affected by the password reset vulnerability.
Why It Matters
The leak exposes millions of Instagram users to increased risks of targeted phishing, smishing, and social engineering attacks using their personal information. While the dataset does not contain passwords, the combination of usernames, email addresses, phone numbers, and physical addresses provides substantial information for identity theft and fraud attempts. The incident highlights ongoing vulnerabilities in social media platforms to data scraping, even when no direct system breach occurs.
What You Should Do
Users should remain vigilant against phishing emails, text messages, and social engineering attempts that may use their leaked personal information. If you received a password reset email from Instagram during this period and did not request it, you can disregard it as Meta has confirmed these were generated by the bug. Monitor your accounts for suspicious activity and be cautious of any unsolicited communications claiming to be from Instagram or requesting personal information.
AI-Assisted
Event summaries are generated by Claude AI from verified sources and reviewed by humans before publication.
Sources
Related Events
- Instagram — EnforcementSep 27, 2024
The Irish DPC fined Meta €91 million for storing hundreds of millions of Faceboo...
- Instagram — Data BreachSep 1, 2017
A bug in Instagram's developer API exposed the phone numbers and email addresses...
- Instagram — Data BreachAug 7, 2019
Business Insider revealed that Hyp3r, an official Instagram advertising partner,...