**A Massive Breach Exposed Data of 17.5M Instagram Users**

A shocking data breach has left millions of Instagram users shaken, as sensitive information about their accounts was stolen by cybercriminals. The breach, which exposed the personal data of around 17.5 million Instagram users, has sent a wave of password reset emails to affected users and raised fears that the stolen data is already circulating online.

The breach was discovered by Malwarebytes Labs researchers, who warn that the exposed data includes usernames, physical addresses, phone numbers, email addresses, and more. This sensitive information could be used for malicious purposes such as stalking, swatting, extortion, and identity theft.

Since January 10, 2026, over a million users have received password reset emails, sparking confusion and fears of a global cyberattack. Security experts warn that this is a serious privacy breach with real-world risks, and affected data may already be circulating on the dark web.

**How the Breach Occurred**

The researchers found that the sensitive database was being sold on a cybercrime forum, described as a "doxxing kit" affecting nearly 18 million Instagram users. Unlike past data scrapes, this leak includes physical home addresses linked to Instagram user IDs. It's believed that attackers may have combined Instagram user IDs with data from external databases, such as marketing lists, data brokers, e-commerce platforms, or leaked customer records, to match usernames with real names and home addresses.

By linking online identities to physical addresses, the threat goes beyond spam or account takeovers. It enables stalking, swatting, extortion, and identity theft, turning a digital privacy breach into a potential real-world safety risk.

**The Aftermath**

Reports indicate that portions of the 17.5 million record database are being auctioned on illicit marketplaces. The data is reportedly being sold in "batches" sorted by region and follower count, making influencers and high-profile business accounts primary targets.

Instagram users should act now and assume possible exposure. Researchers recommend avoiding clicking password reset emails, resetting your password only via the app, and verifying emails using Instagram's official email log to spot phishing. Enable app-based two-factor authentication, preferring to avoid SMS 2FA. Finally, review and remove unknown or unused third-party app permissions, which may have contributed to the breach.

**What You Can Do**

Take immediate action to protect your account by:

  • Avoid clicking password reset emails
  • Reset your password only via the app
  • Verify emails using Instagram's official email log to spot phishing
  • Enable app-based two-factor authentication
  • Review and remove unknown or unused third-party app permissions

Stay vigilant and monitor your account for any suspicious activity. Remember, your safety is at risk, so don't wait – take action now to protect yourself.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon for the latest cybersecurity news and updates.