Massive Instagram data breach: Millions of numbers & emails leaked

A massive data security incident has put approximately 17.5 million Instagram users on high alert this week. According to a report by cybersecurity firm Malwarebytes, a significant database containing sensitive user information is currently being traded on dark web marketplaces, exposing millions to potential identity theft, phishing scams, and account hijacking.

Also read: Makop Ransomware targets India: What the new attack means and how to stay safe

A “gold mine” for social engineering

The leak encompasses a wide array of personal data. The compromised records reportedly include usernames, email addresses, phone numbers, and physical addresses.

While passwords do not appear to be part of the plain-text dump, security experts warn that the combination of contact details and real-world location data creates a “gold mine” for cybercriminals. This specific mix of data allows bad actors to execute highly targeted social engineering attacks, making their scams appear far more legitimate than generic phishing attempts.

Active attacks and “reset” storms

The threat has already moved from theoretical to active. Following the leak’s appearance online, multiple Instagram users have reported receiving unsolicited, legitimate password reset notifications from Instagram.

This indicates that bad actors are already utilizing the leaked usernames and emails to attempt account hijacking. By triggering a reset, hackers hope to confuse users into handing over access codes or clicking malicious links disguised as support tickets.

Also read: How to find out if your passwords were compromised in the global data breach

Scraped via public APIs

According to dark web listings analyzed by security researchers, the data was allegedly “scraped” during the final three months of 2024. The seller, operating under the aliases “Subkek” or “Solonik,” claims the information was harvested using public APIs and country-specific sources.

While scraping differs technically from a direct breach of Instagram’s internal servers, the result for the end-user is dangerously similar: private data is now in the public domain. As of now, Meta – Instagram’s parent company – has not released an official statement regarding the scope of the incident.

How to secure your account

Security experts are urging all Instagram users to take immediate defensive measures, regardless of whether they have noticed suspicious activity.

• Enable Two-Factor Authentication (2FA): Switch on 2FA immediately. Avoid using SMS-based verification if possible; instead, use an authenticator app (like Google Authenticator or Authy) which is more resistant to SIM-swapping.
• Change Your Password: Update your password to a strong, unique phrase not used on any other platform.
• Ignore Unsolicited Emails: If you receive a password reset email you did not request, do not click any links inside it.
• Watch for Phishing: Be skeptical of any DMs claiming to be from Instagram support demanding urgent action.

With 17.5 million accounts exposed, the window to secure your personal data is closing. Proactive steps taken today could prevent a compromised identity tomorrow.

Also read: Comet AI browser hacked: How attackers breached Perplexity’s AI agent