Overview
- Malwarebytes reports a dataset tied to about 17.5 million Instagram accounts circulating on dark‑web forums, including usernames, phone numbers, email addresses and some physical addresses.
- The trove was reportedly posted on BreachForums by a user known as “Solonnik,” with multiple outlets noting that passwords were not reported as included.
- Security researchers link the data to a 2024 Instagram API exposure that enabled large‑scale scraping, while full attribution and impact assessments continue.
- Users have reported a surge of legitimate‑looking password reset emails, and experts warn the data could fuel phishing and account‑takeover attempts if recipients click through.
- Meta states its systems were not breached and says it has fixed the reset‑email trigger issue; users are urged to enable two‑factor authentication, change passwords via the app, verify emails from @mail.instagram.com, and check breach databases such as Have I Been Pwned.