17.5 Million Instagram Accounts Leaked on BreachForums

A data set containing 17.5 million Instagram accounts appeared on BreachForums this week, shared freely by a threat actor calling themselves "Solonik." Within hours of the leak, affected users began receiving password reset emails they never requested—a sign that attackers are already weaponizing the stolen data.

Security firm Malwarebytes confirmed the breach and warned that the exposed information creates immediate risk for account takeovers and phishing attacks. Meta hasn't acknowledged the incident.

What Was Exposed

The leaked data set contains:

• Usernames
• Email addresses
• International phone numbers
• User IDs
• Physical mailing addresses (partial data)
• Additional account metadata

The data appears to originate from an Instagram API leak that occurred in 2024. Solonik posted it on BreachForums on January 7, 2026, offering the entire collection for free in JSON and TXT formats.

Free distribution accelerates risk. When stolen data sells for thousands of dollars, exploitation requires investment and remains limited to funded threat actors. When it's free, anyone with basic skills can download and abuse it.

Real-Time Exploitation

The leak moved from theoretical risk to active exploitation within hours.

Starting around 4:00-5:00 AM EST on January 8, Instagram users began receiving legitimate password reset emails from [email protected]. The emails came unsolicited—users hadn't requested them. This pattern indicates threat actors are already attempting account takeovers using the leaked email addresses.

The attack flow is straightforward: attackers identify target accounts from the leaked data, request password resets using known email addresses, then attempt to intercept or social engineer access to the reset links. For accounts without two-factor authentication, this approach can succeed without any additional vulnerabilities.

Phone numbers in the leak enable SIM-swapping attacks against higher-value targets. Once attackers control a victim's phone number, they can intercept SMS-based authentication codes and bypass many security controls.

Meta's Silence

Meta has not confirmed the breach. Requests for comment have gone unanswered. There's no official statement on Meta's security pages or social media accounts.

This silence leaves affected users without clear guidance. They don't know if Meta is investigating, if the company has taken protective measures, or if additional data beyond what's public might have been compromised.

The lack of response doesn't necessarily indicate Meta is unaware. Large platforms often delay public acknowledgment while investigating incidents. But the delay leaves a vacuum that attackers fill with activity while users remain uninformed.

Who Is At Risk

Anyone with an Instagram account active in 2024 could be affected. The 17.5 million figure represents a subset of Instagram's user base, but there's no public list of affected accounts for users to check.

Signs your account might be compromised:

• Unexpected password reset emails from Instagram
• Login notifications from unfamiliar locations
• Account settings you didn't change
• Messages sent that you didn't write
• Followers added or removed without your action

Users who reused their Instagram password elsewhere face compounding risk. Attackers routinely test stolen credentials across multiple services, a technique called credential stuffing. A leaked Instagram password becomes an attempted login at banks, email providers, and other platforms.

Protection Steps

Enable two-factor authentication if you haven't already. Use an authenticator app rather than SMS codes—the phone numbers in this leak make SIM-swapping attacks more viable.

Change your Instagram password to something unique you don't use elsewhere. If you've used your Instagram password on other services, change those too.

Review active sessions in Instagram's security settings. Revoke access from any devices or locations you don't recognize.

Watch for phishing emails that reference your Instagram account. Attackers can use leaked data to craft convincing messages that reference your real username or other details.

Monitor for account takeover attempts on other services, especially if you've reused credentials. Consider a password manager to generate unique passwords for each account.

The exposure of phone numbers creates longer-term risk. Consider whether your mobile carrier offers additional account security measures like PIN protection against SIM swaps.

The Bigger Picture

Social media breaches have become routine. Platforms collect vast amounts of personal data, making them attractive targets. This particular leak demonstrates how quickly stolen data moves from underground forums to active exploitation.

The 2024 origin of this data raises questions about Meta's detection and disclosure practices. If the company knew about the original leak, affected users weren't warned. If they didn't know, their security monitoring missed a significant incident.

For users, the lesson is familiar: assume your data is already exposed and secure accounts accordingly. The password reset wave that followed this leak shows how quickly theory becomes practice when stolen data circulates freely.