TL;DR: On January 7, 2026, a threat actor named "Solonik" posted a dataset of 17.5 million Instagram accounts on a dark web marketplace. The data includes usernames, real names, verified email addresses, phone numbers, and partial physical addresses. Attackers are already using the exposed contact info to trigger password reset emails and verify which accounts are active. Meta says there was "no breach" and accounts are "secure," despite users worldwide receiving suspicious password reset requests. Enable 2FA with an authenticator app immediately. Don't click password reset links you didn't request.

What Happened

On January 7, 2026, cybersecurity researchers discovered a dataset titled "INSTAGRAM.COM 17M GLOBAL USERS - 2024 API LEAK" for sale on a dark web marketplace. The seller: a threat actor using the handle "Solonik."[1]

The data reportedly contains information on 17.5 million Instagram accounts from around the world. According to analysis by Malwarebytes and other security firms, the leak includes:[2]

  • Usernames and user IDs
  • Full real names
  • Verified email addresses
  • International phone numbers
  • Partial physical addresses

Investigators believe the data was collected in late 2024 through a misconfigured API endpoint, then held until early 2026 for sale.[1]

The Password Reset Wave

Shortly after the data appeared online, users worldwide started receiving unsolicited password reset emails, from Instagram's legitimate email domain.[3]

This isn't phishing. Attackers are using the exposed contact information to trigger real password reset requests through Instagram's official system. It's a verification technique: if the reset email goes through, the account is active and the contact info is valid.

Security researchers found attackers using this method to:[1][3]

  • Confirm which leaked accounts are still active
  • Identify accounts without strong authentication
  • Prepare for targeted account takeover attempts
  • Build lists of verified, high-value targets

The reset emails are real. The danger is clicking them when you didn't request them, or responding to follow-up phishing attempts that look similar.

Meta's Response

On January 11, 2026, Meta finally addressed the situation publicly. Their statement:[4]

"We fixed an issue that let an external party request password reset emails for some people. There was no breach of our systems and your Instagram accounts are secure."

Let's parse that carefully. Meta says:

  • No "breach of systems," meaning their servers weren't hacked
  • Accounts are "secure," meaning passwords weren't exposed
  • They "fixed an issue," acknowledging something was wrong

What Meta doesn't explain: how 17.5 million users' personal information ended up on the dark web. If there was no breach, where did Solonik get the data?

The most likely answer: API scraping. Someone found a way to systematically query Instagram's systems and extract profile data at scale. That's not technically a "breach," but it's still Meta failing to protect user data.

Meta's Track Record

This isn't Meta's first data protection controversy. Not even close.[5]

  • September 2024: Meta paid a $101 million penalty after revelations that around 600 million Facebook and Instagram passwords had been stored in plaintext without adequate security
  • 2021: A scraping incident exposed data from 533 million Facebook users
  • 2019: Phone numbers from 419 million Facebook accounts leaked online
  • 2018: Cambridge Analytica scandal revealed mass data harvesting

Each time, Meta assured users that accounts were "secure" and no passwords were exposed. Each time, users' personal data ended up circulating among criminals anyway.

The pattern is consistent: Meta treats password exposure as the only meaningful security failure. But your email, phone number, and real name in criminal hands is still a problem, even if your password is safe.

What This Data Enables

The leaked information, even without passwords, creates significant risks:[1][2]

  • Account takeover via SIM swapping: Phone numbers enable attacks on SMS-based authentication
  • Targeted phishing: Real names and verified emails make convincing scam messages
  • Credential stuffing: Email addresses get tested against password databases from other breaches
  • Social engineering: Personal details help attackers impersonate friends or family
  • Stalking and harassment: Location data and contact info enable real-world targeting

17.5 million people just had their attack surface dramatically expanded. Even if Instagram passwords stay safe, the exposed data connects to every other online account using the same email or phone number.

What You Should Do

Enable Authenticator-Based 2FA

Instagram supports authentication apps like Google Authenticator or Authy. Enable this immediately. SMS-based 2FA is vulnerable to SIM swapping. Use an authenticator app instead.

Ignore Unexpected Password Resets

If you receive a password reset email you didn't request, don't click any links. Go directly to Instagram's app or website to check your account security.

Check Login Activity

In Instagram settings, review "Login Activity" to see all devices with access to your account. Revoke any you don't recognize.

Use a Unique Password

If your Instagram password is reused anywhere else, change it. Use a password manager to generate unique, random passwords for every account.

Audit Your Contact Info

Consider whether you need your real phone number and email attached to Instagram. You can use email aliases and Google Voice numbers for social media accounts.

Watch for Phishing

Expect targeted scams referencing your Instagram activity. Be suspicious of any message asking you to verify your account, click links, or provide login credentials.

The Real Problem

17.5 million accounts out of Instagram's 2+ billion users is a small percentage. But those 17.5 million people are now permanent targets.

The bigger issue: we've normalized handing social media platforms our real names, phone numbers, and email addresses. When that data inevitably leaks (through breaches, scraping, or insider access) we're told our accounts are "secure" because passwords weren't exposed.

That framing serves platforms, not users. A password can be changed. Your phone number, email, and real name? Those stick with you. Every leak makes you slightly more vulnerable, permanently.

Meta's response (minimizing, deflecting, claiming no "breach") is the same playbook they've used for years. Users deserve better than semantic games about what counts as a security failure.

References

  1. CyberPress - 17.5 Million Instagram Accounts Exposed in Major Data Leak (January 2026)
  2. CyberSecurity News - Instagram Data Leak Exposes Sensitive Info of 17.5M Accounts (January 2026)
  3. Engadget - Instagram says accounts 'are secure' after wave of suspicious password reset requests (January 2026)
  4. Engadget - An Instagram data breach reportedly exposed the personal info of 17.5 million users (January 2026)
  5. Cybersecurity Insiders - Here's the truth about Instagram Data Breach 2026 (January 2026)