TL;DR: A hacker named "Solonik" dumped 17.5 million Instagram user records on BreachForums on January 7, 2026. The data includes full names, usernames, verified emails, phone numbers, user IDs, and partial location data. No passwords, but that's cold comfort. The breach traces back to an Instagram API exposure in late 2024. Meta hasn't said a word. If you're on Instagram, enable MFA now and watch for phishing attacks.

What Got Leaked

January 7, 2026. A threat actor using the handle "Solonik" posted a dataset on BreachForums. The file: 17.5 million Instagram user records. The price: free.

Cybersecurity firm Malwarebytes caught it during routine dark web monitoring. They confirmed the breach is real.

Here's what's in the dump:

  • Full names
  • Usernames
  • Verified email addresses
  • Phone numbers
  • User IDs
  • Partial location data

Passwords don't appear to be included. Small victory. But everything else is there, enough to build detailed profiles on millions of people.

The API Leak

This wasn't a hack in the dramatic sense. No breached servers. No ransomware. No sophisticated intrusion.

It was an API leak. Someone exploited Instagram's application programming interface, the back-end system that lets apps communicate with the platform. Security researchers believe the data was scraped in late 2024 through a failure in rate-limiting or privacy safeguards.

API scraping is boring but effective. Automated tools query accounts one by one, slowly pulling public and semi-public data until you've got millions of records. The victim platform usually doesn't notice until the data shows up for sale.

This is the kind of vulnerability that shouldn't exist. Rate limiting exists. API access controls exist. But they have to be properly configured. And Instagram, apparently, didn't.

Meta's Silence

As of January 10, 2026, Meta has not issued any public statement about this breach.

No acknowledgment. No denial. No guidance for affected users. Just silence.

This is the company that knows more about you than your family does. When 17.5 million of its users get exposed, the least they could do is confirm or deny. Explain what happened. Tell people what to do.

Instead: crickets.

Maybe they're investigating. Maybe legal is reviewing. Maybe they hope it quietly blows over. Whatever the reason, affected users are flying blind.

The Password Reset Wave

Here's how you know the breach is being exploited: users are reporting unprompted password reset notifications.

If you didn't request a password reset and you're getting emails from Instagram about one, that's a red flag. Someone is using the leaked email addresses to test credentials or attempt account takeovers.

The attack vector works like this:

  1. Attacker gets your email from the breach
  2. Attacker triggers password reset
  3. If you click the link thinking it's legitimate, you might give up access
  4. Even if you don't click, attacker now knows your account is active

That's why password reset emails you didn't request are concerning. Don't click them. Go directly to Instagram.com and check your security settings manually.

What This Breach Enables

No passwords leaked. So what's the big deal?

Plenty. Here's what attackers can do with names, emails, and phone numbers:

  • Targeted phishing: Personalized emails referencing your name and Instagram account are far more convincing than generic spam.
  • SIM swapping: Phone numbers enable attacks where criminals convince your carrier to transfer your number to their SIM card. Then they intercept your 2FA codes.
  • Social engineering: Knowing your name, email, phone, and Instagram activity lets attackers impersonate you, or impersonate services to trick you.
  • Account takeovers: Password resets, security question attacks, and credential stuffing (if you reuse passwords) all become easier with verified contact info.
  • Identity theft: Partial location data plus other details can be combined with other breaches to build comprehensive identity profiles.

17.5 million people just became easier targets.

What You Need to Do Now

Enable MFA (Not SMS)

Turn on multi-factor authentication using an authenticator app like Authy, Google Authenticator, or 1Password. Don't use SMS: if your phone number leaked, SMS-based 2FA is vulnerable to SIM swapping.

Change Your Password

Even though passwords weren't in this breach, change yours anyway. Make it unique, not used anywhere else. Password manager recommended.

Check Login Activity

Go to Settings → Security → Login Activity. Look for any sessions you don't recognize. Log them out. If you see unfamiliar devices or locations, your account may already be compromised.

Revoke Third-Party Access

Settings → Security → Apps and Websites. Remove any apps you don't actively use. Old connected apps are attack vectors.

Watch for Phishing

Be suspicious of any emails claiming to be from Instagram or Meta. Don't click links in emails. Go directly to instagram.com for any security actions.

Consider Account Deletion

If Instagram isn't essential for you, delete your account. Data you don't store can't be breached. Instagram's value to Meta is your data, and clearly they can't protect it.

Meta's Pattern

This isn't Instagram's first rodeo. Meta's platforms have a history of data exposure.

In 2019, hundreds of millions of Facebook phone numbers were found in an unsecured database. In 2021, 533 million Facebook users had their data leaked through a contact import feature. In 2022, Ireland fined Meta €265 million for the 2021 breach.

The pattern: data gets exposed, Meta stays quiet as long as possible, fines get paid, nothing fundamentally changes. Users are the product. Data is the business. Security is a cost center, not a priority.

17.5 million Instagram users just learned that lesson the hard way.

References

  1. Cyber Press - Instagram Data Breach Exposes 17.5 Million Users (January 2026)
  2. Notebookcheck - Instagram Data Breach Analysis (January 2026)
  3. Engadget - Instagram Breach Puts 17 Million Users at Risk (January 2026)
  4. Malwarebytes - Instagram User Data Found on Dark Web (January 2026)
  5. Cyber Kendra - Instagram API Leak Technical Analysis (January 2026)