Cybersecurity firm Malwarebytes claims usernames, emails, phone numbers and partial location data from Instagram accounts are circulating on dark web marketplaces.
Several users have reported unsolicited password reset emails, suggesting active attempts to hijack accounts using the leaked information.
Instagram and Meta have yet to issue an official response, while users are advised to enable 2FA, change passwords and watch for suspicious activity.
A large cache of Instagram user data has reportedly surfaced on dark web marketplaces. As per a recent alert from cybersecurity firm Malwarebytes, information linked to nearly 17.5 million Instagram accounts is being actively circulated and sold online. This has created fresh concerns around account security and user privacy all over social media.
SurveyThe exposed dataset is said to include sensitive personal details such as usernames, email addresses, phone numbers and partial physical location data. Security experts warn that this combination of information increases the risk of phishing attacks, identity fraud and account takeovers.
Malwarebytes noted that the database is already being exploited, with several affected users reporting Instagram password reset emails they did not request. These incidents suggest that threat actors are attempting to gain unauthorised access to accounts using the leaked details.
Dark web listings reviewed by researchers claim the data was scraped toward the end of 2024, allegedly through public-facing APIs and region-specific sources. The seller, operating under the alias “Subkek,” has advertised the dataset as recently collected, with sample records showing full email addresses, phone numbers and limited location information.
Security analysts caution that exposed contact details allow cybercriminals to create highly targeted scam messages that appear to come from Instagram or Meta, making them harder for users to identify as fraudulent.
Instagram and its parent company Meta, have not yet issued an official statement addressing the reported leak or confirming whether the data originated from its systems or a third-party source. Investigations are ongoing to determine how the information was obtained.
How to know if your account is affected
If you want to check if your account is affected or not, all you need to do is enter your email or phone number on haveibeenpwned.com. And, another indicator can be the unsolicited password reset emails or unrecognized devices listed in Instagram’s Login Activity settings.
What you should do
It is advised that users enable Two-Factor Authentication (2FA) and change their passwords immediately. It is also advised that users ignore or delete suspicious emails that may seem like real ones from Instagram or Meta. Lastly, we advise you to check your Instagram settings to disconnect from any unnecessary third-party apps.
Follow Us
Ashish Singh
Ashish Singh is the Chief Copy Editor at Digit. He's been wrangling tech jargon since 2020 (Times Internet, Jagran English '22). When not policing commas, he's likely fueling his gadget habit with coffee, strategising his next virtual race, or plotting a road trip to test the latest in-car tech. He speaks fluent Geek. View Full Profile
