Instagram is investigating reports of a data exposure that allegedly compromised personal information linked to more than 17.5 million user accounts, according to cybersecurity firm Malwarebytes.
Malwarebytes said on January 9 that it discovered a dataset for sale on the dark web containing information it believes is connected to an Instagram application programming interface (API) exposure dating back to 2024. The firm warned that the data could be abused by cybercriminals.
The exposed information reportedly includes usernames, physical addresses, phone numbers, email addresses and other account details. Malwarebytes said it identified the dataset during a routine scan of underground forums and marketplaces.
The disclosure follows a surge in complaints from Instagram users who reported receiving repeated password reset emails. Malwarebytes said the leaked information may be driving those incidents, raising the risk of phishing attacks, account takeovers and credential-stuffing attempts, in which stolen login details are reused across multiple platforms.
The cybersecurity firm warned that compromised credentials could allow attackers to access not only Instagram accounts but also other online services linked to the same login information.
Meta Platforms, Instagram’s parent company, had not issued an official response to the reported incident at the time of publication.
