Overview
- The dataset includes usernames, email addresses, phone numbers, partial physical addresses and other contact fields linked to roughly 17.5 million Instagram accounts.
- Malwarebytes reports the files were posted on BreachForums on Jan. 7 by a user using the alias “Solonik” and are now freely circulating.
- Passwords are not included, but the exposed details lower barriers to social‑engineering and account‑takeover attempts, and experts advise changing passwords, using unique credentials and enabling two‑factor authentication.
- Some Instagram users report receiving unexpected password‑change notifications, a sign attackers may be probing account recovery or attempting access.
- Meta has not publicly confirmed the incident, and analysts note similarities to a 2024 API‑related exposure while the exact source remains unverified.