Instagram Users Warned After Alleged Data Leak Affecting 17.5 Million Accounts
17.5M accounts allegedly affected by data leak.
Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more. pic.twitter.com/LXvjjQ5VXL
— Malwarebytes (@Malwarebytes) January 9, 2026
Instagram users across Ireland and worldwide are being urged to enable two-factor authentication following claims by cybersecurity firm Malwarebytes that personal information from 17.5 million accounts may have been exposed. Meta, Instagram's parent company, has denied any system breach occurred.
On 9 January, Malwarebytes posted on X that cybercriminals had allegedly stolen sensitive information from 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, and email addresses. The cybersecurity firm warned the data was reportedly being offered for sale on dark web forums.
The announcement coincided with widespread reports from users receiving unexpected password reset emails from Instagram, sparking concerns about potential account compromises.
Meta, spokesperson:
"We fixed an issue that allowed an external party to request password reset emails for some Instagram users. We want to reassure everyone there was no breach of our systems and people's Instagram accounts remain secure. People can disregard these emails and we apologise for any confusion this may have caused."
The statement directly contradicts claims of a data breach. However, multiple cybersecurity outlets reported that a dataset purportedly containing Instagram user information appeared on hacking forums in early January, with some sources suggesting the data may have originated from an API exposure in 2024.
What Should Instagram Users Do?
Security experts recommend taking immediate action regardless of whether a breach occurred:
- Enable two-factor authentication immediately. This adds an extra layer of security beyond your password. You can activate this in Instagram's security settings.
- Check if your data has been exposed. Malwarebytes offers a free Digital Footprint Portal where users can enter their email address to check if they appear in the leaked dataset.
- Don't click links in unexpected password reset emails. If you want to change your password, navigate directly to the Instagram app or website rather than clicking email links.
- Check sender addresses carefully. Legitimate Instagram emails come from @mail.instagram.com. Other domains may be phishing attempts.
- Review logged-in devices. Visit Meta's Accounts Centre to check which devices have access to your account and log out any you don't recognise.
- Update your recovery information. Ensure your email address and phone number on file are current and secure.
If you believe your account has been compromised, Instagram provides dedicated support at instagram.com/hacked to help secure your account. Additional guidance on handling potentially hacked accounts is available through Instagram's Help Centre.
While the extent of any data exposure remains disputed, the surge in password reset emails and dark web activity suggests heightened risk for Instagram users. Taking preventative security measures is advisable even in the absence of confirmed breach notifications.
