Security experts are warning of a significant data breach impacting millions of Instagram users, with personal information now circulating on the dark web and leading to a wave of suspicious password reset emails.
Scale and Source of the Instagram Data Leak
The security firm Malwarebytes revealed on Saturday via a post on X that a dataset containing approximately 17.5 million user records has been leaked. According to reports, the data was initially stolen during an Instagram API leak in 2024. The information was then published for free on the BreachForums platform this past Wednesday by a threat actor using the name 'Solonnik'.
The compromised data is highly sensitive and includes a range of personal details such as:
- User names and full names
- Email addresses and phone numbers
- Partial physical addresses
- Other contact information
Malwarebytes has warned that this trove of data has likely already been shared with cybercriminals. The parent company of Instagram, Meta, has not yet officially confirmed the breach publicly.
Immediate Risks and User Reports
The primary danger of such a leak is that the exposed information can be used for identity theft and financial fraud. Criminals can use the details to impersonate individuals, gain access to other accounts, or launch targeted phishing campaigns.
This risk is already manifesting. Publications like The Verge have reported that thousands of people have received a deluge of password reset request emails in recent days. While these emails may appear legitimate, cybersecurity experts state they are almost certainly sent by scammers attempting to capitalise on the breach.
The critical advice is to not click on any links within these unsolicited password reset emails.
Steps to Protect Yourself After the Breach
For users concerned they may be affected, there are clear actions to take. First, you can check if your email address was compromised in this or other breaches by visiting trusted sites like HaveIBeenPwned.com or the malwarebytes.com blog, which has provided a dedicated checker for this Instagram incident.
If your data was exposed, or as a general precaution, security professionals strongly recommend two immediate steps:
- Change your Instagram password to a new, strong, and unique one.
- Enable two-factor authentication (2FA) on your account. This adds a critical extra layer of security beyond just a password.
Vigilance is key. Be extremely wary of any unexpected communications asking for personal details or urging you to click links, even if they seem to come from a known service.
