Instagram data of 17.5 million users reportedly leaked and sold on dark web: How to check if you are affected and stay safe

A large cache of Instagram user data has reportedly surfaced on dark web marketplaces. As per a recent alert from cybersecurity firm Malwarebytes, information linked to nearly 17.5 million Instagram accounts is being actively circulated and sold online. This has created fresh concerns around account security and user privacy all over social media.

The exposed dataset is said to include sensitive personal details such as usernames, email addresses, phone numbers and partial physical location data. Security experts warn that this combination of information increases the risk of phishing attacks, identity fraud and account takeovers.

Malwarebytes noted that the database is already being exploited, with several affected users reporting Instagram password reset emails they did not request. These incidents suggest that threat actors are attempting to gain unauthorised access to accounts using the leaked details.

Dark web listings reviewed by researchers claim the data was scraped toward the end of 2024, allegedly through public-facing APIs and region-specific sources. The seller, operating under the alias “Subkek,” has advertised the dataset as recently collected, with sample records showing full email addresses, phone numbers and limited location information.

Security analysts caution that exposed contact details allow cybercriminals to create highly targeted scam messages that appear to come from Instagram or Meta, making them harder for users to identify as fraudulent.

Instagram and its parent company Meta, have not yet issued an official statement addressing the reported leak or confirming whether the data originated from its systems or a third-party source. Investigations are ongoing to determine how the information was obtained.

How to know if your account is affected

If you want to check if your account is affected or not, all you need to do is enter your email or phone number on haveibeenpwned.com. And, another indicator can be the unsolicited password reset emails or unrecognized devices listed in Instagram’s Login Activity settings.

What you should do

It is advised that users enable Two-Factor Authentication (2FA) and change their passwords immediately. It is also advised that users ignore or delete suspicious emails that may seem like real ones from Instagram or Meta. Lastly, we advise you to check your Instagram settings to disconnect from any unnecessary third-party apps.