Hackers Expose Personal Data of 17.5 Million Instagram Users

Personal data of 17.5 million Instagram users has reportedly been shared online, with the data now circulating freely on hacker forums.

The leaked data is said to include a wide range of user details such as usernames, full names, email addresses, phone numbers, partial physical addresses, and other contact information. Cybersecurity observers warn that such data is commonly used to run impersonation scams, launch phishing attacks, and attempt account takeovers, often by exploiting account recovery methods.

Reports suggest the exposed records may be tied to an Instagram API-related leak from 2024. A threat actor using the alias “Solonik” allegedly posted the dataset on BreachForums on January 7, 2026, offering it for free.

The post claimed it contained more than 17 million entries in JSON and TXT formats and affected users worldwide. Sample records shared with the post reportedly showed raw fields like usernames, email addresses, international phone numbers, and user IDs, indicating the data appears structured like information pulled through an API.

So far, Meta, Instagram’s parent company, has not publicly confirmed the incident. There has also been no official statement visible on Meta’s security pages or social media channels regarding the reported leak.

It is still unclear how the information was obtained. The data could have come from an exposed API endpoint, a weakness in a third-party tool, or a technical misconfiguration. However, the format of the leaked records has raised concerns that the information may have been collected from profile metadata before 2025.