Cybersecurity firm Malwarebytes said it has identified a large data leak involving personal information linked to about 17.5 million Instagram users, raising concerns about how the data could be exploited by cybercriminals.
According to Malwarebytes, the dataset was discovered during routine monitoring of dark web activity and was traced to a hacker using the name Solonik. The data was posted on BreachForums on Jan. 7, 2026, making it accessible to other malicious actors. The company said the files appeared in large, well-organized JSON and TXT formats and may be connected to an Instagram application programming interface exposure dating back to 2024.
The exposed information is reported to include Instagram usernames, full names, email addresses, international phone numbers, partial physical addresses and user identification numbers. Although passwords were not part of the dataset, the volume and sensitivity of the personal data could still enable a range of malicious activities.
Malwarebytes said attackers could use the information for impersonation, targeted phishing campaigns and attempts to compromise accounts, including by abusing password reset mechanisms that rely on email addresses or phone numbers.
See also: PlugMate Launch Marks New Approach to Digital Separation for Sensitive Data
Meta, Instagram’s parent company, has not confirmed the incident or provided details on how the data was obtained or whether affected users will be notified. Malwarebytes has advised users to remain vigilant for suspicious messages and to strengthen account security through measures such as two-factor authentication and strong, unique passwords.
