Key Findings:

• A massive data breach has exposed the personal information of about 17.5 million Instagram users.

• The exposed data includes usernames, physical addresses, phone numbers, and email addresses.

• Cybercriminals have stolen this sensitive information and are selling it in batches on dark web forums.

• Affected users have reported receiving password reset emails, raising concerns about ongoing phishing attempts.

• Security experts warn this breach poses serious privacy and safety risks, as attackers can leverage the exposed data for stalking, extortion, and identity theft.

Background

On January 10, 2026, Malwarebytes Labs researchers reported a major data breach affecting approximately 17.5 million Instagram users. The exposed personal information includes usernames, physical addresses, phone numbers, and email addresses.

Breach Details

The researchers discovered a sensitive database containing this data being sold on a cybercrime forum, described as a "doxxing kit" targeting nearly 18 million Instagram accounts. Unlike previous data scrapes, this leak includes physical home addresses linked to Instagram user IDs, making it a significant invasion of privacy.

Potential Threats

Security experts warn that the stolen data could fuel a range of cyberattacks and real-world threats. By linking online identities to physical addresses, the breach enables stalking, swatting, extortion, and identity theft, turning a digital privacy breach into a potential safety risk.

Ongoing Phishing Attempts

Since the breach, over a million Instagram users have reported receiving password reset emails, sparking confusion and fears of a widespread phishing campaign. Researchers advise users to avoid clicking on these emails and to only reset passwords directly through the Instagram app.

Recommendations for Users

Instagram users should assume their data has been compromised and take immediate steps to protect their accounts and personal information. This includes enabling two-factor authentication, reviewing and removing third-party app permissions, and verifying the legitimacy of any password reset emails.

Sources

• https://securityaffairs.com/186765/data-breach/a-massive-breach-exposed-data-of-17-5m-instagram-users.html

• https://x.com/Complex/status/2010123080656715880

• https://www.instagram.com/p/DTWMC2SjzPq/

• https://www.instagram.com/reel/DTV5qQok3Er/

• https://evrimagaci.org/gpt/instagram-data-breach-exposes-millions-to-cyber-threats-523322?srsltid=AfmBOop1nohP4rG4SfsSU8yoqfDHxuremPi5cHt6kREBahCM6j-Il-ya