/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
/dq/media/member_avatars/AYMcEOCg0Hat7pNZP430.jpeg )
Follow Us/dq/media/media_files/2025/06/23/data-breach-2025-06-23-10-01-41.jpg)
A major security event involving Instagram surfaced in early January 2026, leaving millions of users questioning the safety of their personal data. Reports from cybersecurity firm Malwarebytes indicate that a dataset containing the personal information of 17.5 million Instagram users is circulating on the dark web. The data includes usernames, full names, email addresses, phone numbers, and partial physical addresses.
The incident gained public attention on 7 January 2026, when a threat actor using the alias “Solonik” posted the records on BreachForums. While the leak does not appear to contain account passwords, the availability of contact details enables attackers to conduct sophisticated phishing and identity theft. Beginning around January 8, users worldwide reported receiving a sudden influx of legitimate password reset emails from Instagram’s official domain. These notifications arrived despite users not initiating any changes, causing widespread alarm.
User experience and detection
Users detected the anomaly through these unsolicited email alerts. Many noted that the emails appeared authentic, featuring correct branding and originating from the verified @mail.instagram.com address. Some individuals received multiple requests within a single hour, leading to concerns that attackers were using the leaked contact information to trigger the platform's automated recovery systems. On platforms like Reddit and X, users expressed confusion when their in-app security history failed to reflect these external reset attempts.
Meta's official stand
Meta, Instagram’s parent company, denies that a system-wide breach occurred. In official statements released on January 11, a Meta spokesperson clarified that the company identified and resolved a technical flaw. This bug allowed external parties to trigger password reset emails for specific accounts without gaining internal access. Meta maintains that its core systems remain secure and that the 17.5 million records likely originated from "scraping", the automated harvesting of public data, rather than a direct hack of its servers. The company advised users that they can safely ignore the unsolicited reset emails.
How to keep your account safe?
Despite Meta's assurances, it is recommend immediate steps to protect your digital identity:
Enable two-factor authentication (2FA): Use an authenticator app rather than SMS-based codes. This adds a layer of protection that a leaked phone number cannot bypass.
Manual password updates: If you suspect your data is part of the leak, change your password directly through the Instagram app settings. Do not click links in any unsolicited emails.
- Audit login activity: Visit the "Accounts Center" in your settings to review all devices currently logged into your profile. Log out of any unrecognized hardware.
- Scrutinise communications: Treat every email as a potential phishing attempt. Verify account alerts by checking the "Emails from Instagram" tab within the app’s security settings.