Cybercriminals stole sensitive information from 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more. This data is available for sale on the dark web and can be misused by cyber criminals.
[image or embed]
— Malwarebytes (@malwarebytes.com) January 9, 2026 at 8:34 am
Have you recently received an unexpected password reset email from Instagram? If the comments on a Reddit post about this breach a few hours ago are any indication, you’re not alone.
It seems the physical addresses, phone numbers, email addresses and other information associated with the accounts of 17.5 million Instagram users is up for sale in sketchier parts of the Internet.
Apparently Malwarebytes scours the dark net for items like this, and it has been speculated that this cache of personal details is linked to the 2024 API breach, which potentially allowed an attacker to extract information from Instagram.
There are some steps you can take to make sure your information is secure, including:
- just resetting my password
- If you haven’t already turned on two-factor authentication
- Permanently deleting all social media accounts from all platforms
It appears that Instagram has not yet published any statement on this issue. Gizmodo has contacted Meta for comment, and will update if we hear back.
<a href