Instagram Data Breach: What Happened and How To Stay Protected

In January 2026, a dataset containing 17.5 million Instagram account records surfaced on BreachForums, one of the largest cybercriminal marketplaces on the dark web. Security firm Malwarebytes confirmed the exposure after discovering the dataset during routine dark web monitoring.

The leaked information from the Instagram data breach included full names, email addresses, phone numbers, and partial physical addresses. Within days, millions of users began receiving unsolicited password reset emails, and Instagram data breach concerns spread across social media. 

If you use Instagram, here is what you need to know.

The dataset appeared on January 7, 2026, posted by a threat actor using the alias “Solonik.” It contained 17.5 million records in JSON and TXT formats that resembled native API response data, pointing to data scraping via an Instagram API endpoint during late 2024.

Meta denied a systems breach and said it fixed a technical issue that allowed external parties to trigger password reset emails. Security researchers and Have I Been Pwned independently confirmed the data was real.

The Instagram data breach history includes similar incidents, from the 2019 Chtrbox exposure of 49 million records to the 2021 SocialArks cloud misconfiguration that leaked 318 million records across multiple platforms.

Figure 1: The BreachForums listing posted by “Solonik” on January 7, 2026.

The 2026 dataset is structured in JSON and TXT formats that closely match native Instagram API responses. This is profile-level data scraped at scale, covering both public and semi-public fields. The location data is problematic because it appears to have been cross-referenced from third-party marketing databases, correlating Instagram User IDs with physical addresses that were never publicly visible. 

The personal information exposure included:

• Usernames and display names
• Email addresses (approximately 6.2 million records)
• Phone numbers
• Partial physical addresses and location data
• Account IDs and follower metadata
• Business contact information

Passwords were not part of this dark web data leak. However, the leaked information gives attackers everything they need for targeted phishing, SIM swap attacks, and credential stuffing using passwords from separate infostealer databases. In 2025, security researcher Jeremiah Fowler found 184 million credentials harvested by infostealer malware, including Instagram logins with plaintext passwords.

The evidence points to data scraping rather than a direct compromise of Instagram’s internal systems. Attackers exploited an API endpoint, likely Instagram’s Contact Importer, feeding large volumes of phone numbers and email addresses into the system to match them against user accounts.

Rate limiting was insufficient to stop the operation before 17.5 million records were harvested. Meta patched the vulnerability after the data had already been compiled and held for months before appearing on a cybercriminal marketplace.

Cloud misconfiguration and infostealer malware account for the other entries in the Instagram data breach list. Malware variants like Lumma, RedLine, and Raccoon silently extract saved passwords and session tokens from infected devices. Those credentials then fuel credential stuffing attacks across hundreds of services.

Influencers

Influencers, verified accounts, and business profiles carry monetary value on credential theft marketplaces because they can be resold, used for impersonation scams, or used to distribute phishing links to a large audience. A compromised influencer account provides a trusted platform for distributing malicious links to thousands of followers who are unlikely to question content from an account they already follow.

Business Accounts

Business accounts face additional exposure because Instagram displays contact information by default. That data feeds directly into phishing campaigns and SIM swap attacks. An attacker who obtains a business account’s phone number can attempt a SIM swap to intercept SMS-based two-factor authentication codes, gaining full account access and the ability to use the account for financial fraud or impersonation.

Password Reusers

Users who reuse passwords across services face severe risk from credential stuffing. If your Instagram password matches your email or banking login, a single data breach Instagram users are affected by can cascade into a full identity compromise. Up to 60% of users reuse credentials across multiple accounts.

Public Profiles

People with public profiles also face higher exposure to data scraping, because any visible data can be harvested at scale and combined with records from earlier breaches. The January 2026 breach relied entirely on publicly accessible API endpoints, which means profiles with more visible data contributed more records to the dataset.

If your account was affected by the 2026 Instagram data breach, or if you received an unsolicited password reset email, take these steps immediately.

1. Change your password. Use a unique, complex password that you do not use on any other service. A password manager makes this manageable across dozens of accounts.
2. Enable two-factor authentication. Use an authenticator app rather than SMS. SIM swap attacks can intercept text-based codes, making SMS-based 2FA a weaker option for accounts that are already exposed in a breach.
3. Check if your email was exposed. Have I Been Pwned will confirm whether your email appears in the Instagram breach database. If it does, change the password on every account using that email address immediately.
4. Review login activity. Instagram’s Security settings show recent login locations and devices. Log out any session you do not recognize and check for unfamiliar devices.
5. Watch for phishing. Attackers who have your email and username will send convincing messages posing as Instagram support. Avoid clicking links in unsolicited emails or DMs asking you to verify your account.
6. Monitor financial accounts. If you used a business account with linked payment information, check for unauthorized transactions and consider placing a fraud alert with your bank.

Data protection best practices start with using a unique password for every account and storing them in a password manager. This single step neutralizes credential stuffing entirely.

Avoid third-party apps that request broad permissions on your Instagram account, particularly analytics tools and follower trackers, as many of these are data collection operations disguised as productivity tools.

Switch your profile to private if you do not need public visibility. Review your connected apps regularly and revoke access for anything you do not actively use. Install reputable endpoint protection on your devices to guard against infostealer malware, which remains the primary method attackers use to harvest saved credentials.

The Instagram data breach list keeps growing, and every incident shares a common thread: data leaves the platform, or an infected device, and ends up on a cybercriminal marketplace. 

The 2026 exposure illustrates why scraped profile data becomes more dangerous over time. On its own, a list of usernames and emails is useful for phishing. Combined with credentials from infostealer databases, it enables full account takeover through credential stuffing. Both types of data circulate on the same forums and marketplaces, and attackers routinely cross-reference them.

Anti data exfiltration technology addresses this at the endpoint. If infostealer malware executes on a device and attempts to transmit harvested Instagram credentials, browser cookies, or session tokens to an attacker-controlled server, ADX blocks the transfer before the data leaves. The stolen credentials never reach the cybercriminal marketplace, which means they never get used in credential stuffing attacks against the accounts exposed in breaches like this one.

Strong passwords and two-factor authentication protect individual accounts. Endpoint-level data exfiltration protection stops the supply chain that makes those breaches exploitable in the first place. 

To see how BlackFog protects against credential theft and unauthorized data movement, request a demo today.