An alleged data breach has exposed sensitive information of 17.5 million Instagram users

17.5 million Instagram users have reportedly had their usernames, house and email addresses, phone number as well as other personal information put up for sale on underground websites, according to Malwarebytes. 

Users have reported receiving multiple password reset request emails following the alleged hack reported by Malwarebytes. However, Meta continues to insist that there was no breach.

Was Instagram’s user data leaked?

Malwarebytes reported that Instagram discovered a breach in its security during a routine dark web monitoring scan. And it claims that it has resulted in the sensitive data of approximately 17.5 million Instagram users being made available for sale on underground forums so far.

The compromised information includes Instagram usernames, physical addresses, phone numbers, email addresses, and additional personal details. The cybersecurity company said this incident is linked to a potential API exposure that occurred in 2024.

However, Meta, Instagram’s parent company, has so far denied the breach claims, stating it fixed a technical issue and, in the process, had password reset emails triggered by an external party.

“We fixed an issue that let an external party request password reset emails for some people. There was no breach of our systems and your Instagram accounts are secure. You can ignore those emails — sorry for any confusion,” the company wrote. 

Despite Meta’s denial, many Instagram users have reported receiving multiple password reset request emails in recent days, and panic has spread on social media that cybercriminals are attempting to exploit people’s stolen information.

The leaked information could also be used by the attackers to craft convincing fraudulent messages that make users more likely to click on malicious links or provide additional sensitive information.

With access to usernames, email addresses, and phone numbers, cybercriminals can attempt to gain control of an individual’s accounts. The attackers can use it to spread spam, scam the victim’s followers, or access any linked payment information or private messages.

The physical addresses included in the breach could potentially be used for identity theft, targeted harassment, or even to threaten someone’s physical safety.

How can Instagram users protect themselves?

ManageMyHealth, New Zealand’s largest patient portal with about 1.8 million registered users, revealed that there was unauthorized access to its application. It stated that approximately 6% to 7% of its users may be impacted, which is roughly 108,000 to 126,000 people.

Security experts strongly recommend that all Instagram users take immediate protective measures like enabling two-factor authentication on their accounts. The security feature requires a second form of verification beyond just your password, which is typically a code sent to your phone or generated by an authentication app.

They also recommend changing your Instagram password, especially if you’ve been using the same password for an extended period or if you’ve reused it across multiple platforms. Users should create strong, unique passwords that have uppercase and lowercase letters as well as numbers and special characters.

Instagram users have been warned to be skeptical of unexpected emails, text messages, or direct messages asking for personal information or urging immediate action.

Meta was in a similar situation back in November 2024 when a leak reportedly exposed 489 million Instagram user records on a dark web platform.

If you're reading this, you’re already ahead. Stay there with our newsletter.