A massive breach exposed data of 17.5M Instagram users

AndyC 11 January 2026

A massive breach exposed data of 17.5M Instagram users

A massive breach exposed data of 17.5M Instagram users

A massive breach exposed data of 17.5M Instagram users

A massive breach exposed data of 17.5M Instagram users

Pierluigi Paganini
January 10, 2026

A massive breach exposed data of 17.5M Instagram users, triggering mass password reset emails and fears that stolen data is already circulating online.

A major data breach has exposed the personal data of about 17.5 million Instagram users, Malwarebytes Labs researchers warn. Exposed data includes usernames, physical addresses, phone numbers, and email addresses,.

Since January 10, 2026, a million users have received password reset emails, sparking confusion and fears of a global cyberattack. Security experts warn this is a serious privacy breach with real-world risks, and affected data may already be circulating on the dark web.

The researchers found a sensitive database for sale on a cybercrime forum, described as a “doxxing kit” affecting nearly 18 million Instagram users. Unlike past data scrapes, this leak includes physical home addresses linked to Instagram user IDs.

The stolen data likely didn’t come from Instagram profiles alone, attackers may have combined Instagram user IDs with data from external databases, such as marketing lists, data brokers, e-commerce platforms, or leaked customer records, to match usernames with real names and home addresses.

By linking online identities to physical addresses, the threat goes beyond spam or account takeovers. It enables stalking, swatting, extortion, and identity theft, turning a digital privacy breach into a potential real-world safety risk.

“The data is not just sitting idle. Reports indicate that portions of the 17.5 million record database are being auctioned on illicit marketplaces.” reported the website The Cybersec Guru. “The data is reportedly being sold in “batches” sorted by region and follower count, making influencers and high-profile business accounts primary targets.”

Instagram users should act now and assume possible exposure. Researchers recommend avoiding clicking password reset emails, resetting your password only via the app, and verify emails using Instagram’s official email log to spot phishing. Enable app-based two-factor authentication, preferring avoid SMS 2FA. Finally, review and remove unknown or unused third-party app permissions, which may have contributed to the breach.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data leak)

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , , , , , , , , , ,

More Stories

North Korea–linked APT Kimsuky behind quishing attacks, FBI warns

North Korea–linked APT Kimsuky behind quishing attacks, FBI warns

AndyC 11 January 2026
How are Agentic AI systems ensuring compliance?

Illinois Department of Human Services (IDHS) suffered a data breach that impacted 700K individuals

AndyC 10 January 2026
Trend Micro fixed a remote code execution in Apex Central

Trend Micro fixed a remote code execution in Apex Central

AndyC 10 January 2026
Iran cuts Internet nationwide amid deadly protest crackdown

Iran cuts Internet nationwide amid deadly protest crackdown

AndyC 10 January 2026
China-linked UAT-7290 spies on telco in South Asia and Europe using modular malware

China-linked UAT-7290 spies on telco in South Asia and Europe using modular malware

AndyC 10 January 2026
pcTattletale founder pleads guilty in rare stalkerware prosecution

pcTattletale founder pleads guilty in rare stalkerware prosecution

AndyC 10 January 2026

You may have missed

A massive breach exposed data of 17.5M Instagram users

A massive breach exposed data of 17.5M Instagram users

AndyC 11 January 2026
How are Agentic AI systems ensuring compliance?

How to stay ahead with Agentic AI in cybersecurity?

AndyC 11 January 2026
How are Agentic AI systems ensuring compliance?

Why trust Agentic AI for critical system operations?

AndyC 11 January 2026
North Korea–linked APT Kimsuky behind quishing attacks, FBI warns

North Korea–linked APT Kimsuky behind quishing attacks, FBI warns

AndyC 11 January 2026
MuddyWater Launches RustyWater RAT via Spear-Phishing Across Middle East Sectors

MuddyWater Launches RustyWater RAT via Spear-Phishing Across Middle East Sectors

AndyC 11 January 2026

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.