- A database containing information on 17,5 million Instagram accounts has been published and distributed on the dark web.
- The leak includes usernames, emails, phone numbers and physical addresses, but not passwords.
- Malwarebytes uncovered the case, while Instagram attributed it to a software failure without access to its systems.
- Experts recommend changing your password, enabling two-step authentication, and being extremely cautious with reset emails.
An massive Instagram leak This has once again raised serious concerns about the security of personal data on social networks. A massive database containing information on millions of users is circulating on forums. Dark webwhere it is already being consulted and used by various cybercriminal groups.
According to the cybersecurity firm's research Malwarebytes and from several specialists in the sector, the package presented brings together data from approximately 17,5 million Instagram accounts distributed all over the world. Although no passwords have been leaked, the combination of emails, phone numbers, and physical addresses provides a perfect breeding ground for highly sophisticated phishing campaigns and potential attempts to account hijacking.
What exactly has been leaked and how was it discovered
What has come to light is not just any list, but a structured database which contains, among other things, Instagram usernames, associated email addresses, Telephone numbersPartial physical addresses and other contact information. All of this presented in formats such as JSON and TXT, with fields ordered in a way very similar to the responses of an API.
Malwarebytes detected that this data set had been published in BreachForums, one of the best-known forums for exchanging stolen data. In one of the posts, the database was initially attributed to an actor using the alias “Solonik,” and free access was offered to more than 17 million user records from different countries, even categorized by follower count.
The security firm explained that the leak It would be related to a previous incident linked to the Instagram API, which would have occurred sometime in 2024. That vulnerability—an example of vulnerability issues and security systems— would have allowed for the massive collection of profile information before the potential flaw was corrected.
Some experts, and media outlets specializing in cybersecurity, indicate that the data was obtained through large-scale scraping techniques, supported by Public APIs or poorly protected endpoints and in poorly configured third-party integrations. That is, not so much a classic “hack” to gain access to Meta's servers, but a prolonged exploitation of access points that were not properly limited, a risk that is being addressed by security measures in social networks.
The two opposing versions: Malwarebytes versus Instagram
There is no single narrative about what happened. On the one hand, Malwarebytes maintains that Confidential data has been stolen from 17,5 million accounts and that this package is currently being distributed on the dark web. The company emphasizes that it is a complete “doxing kit,” that is, a set of information prepared to identify and expose specific individuals, with a particular focus on profiles with many followers, such as influencers or business accounts.
On the other side is the official version of Instagram and MetaThe platform has denied that there was unauthorized access to its internal systems and has described what happened as a “software problem” which would have allowed a third party to request password reset emails for some accounts. In its statement, the company insists that “There was no breach of our systems and your Instagram accounts are safe.”, stating that it was a bug that had already been fixed in the email sending process.
The difference between the two positions is notable: while Malwarebytes speaks openly of massive data leak and sale on the black marketInstagram downplays the incident as a technical error in its account recovery system. The reality, however, is that the database exists, circulates on the dark web, and matches the information many users claim to have received in the form of... repeated password change emails.
In Spain and the rest of Europe, where the GDPR While Meta sets strict obligations regarding breach notifications, the lack of a formal announcement from Meta leaves the situation in a kind of limbo. Without detailed official confirmation, but with clear evidence of millions of records circulating, experts recommend that users assume the worst-case scenario and act accordingly, following guidelines for Protect your online privacy.
What types of attacks are we seeing and why are they so dangerous?
Although Instagram passwords are not part of the leakThe exposed data is more than enough to mount very convincing attack campaigns. With the username, the exact email address, and, in many cases, the phone number and physical address, criminals can design personalized phishing messages that seem completely legitimate.
One of the most repeated patterns is the sending of password reset emails These messages mimic Instagram's official format. Sometimes they're mixed in with authentic messages generated by the social network's own system, making them even harder to distinguish. The attackers play a trick on the user: they bombard them with "Forgot your password?" emails so that, in the chaos, they end up clicking on the wrong link.
Attempts have also been detected to identity impersonation who exploit the leaked information to contact potential victims via SMS, email, or even phone calls. Knowing a person's physical address, or part of it, or the country where they live, makes it possible to create very credible messages that mention alleged regional incidents, legal changes, or security checks in Europe to lend more weight to the deception.
All of this context drastically reduces the barriers to attacks by social engineeringThere's no need to "break" Instagram's technical defenses if you can get the user to hand over their access credentials through a fake form, a shortened link, or a page that copies Meta's login interface.
How to check if your data is affected by the leak
For those who suspect they may be among the 17,5 million accounts affectedMalwarebytes has made a free verification tool available to the public. It works simply: you enter the email address linked to your Instagram account and the system checks if it appears in any known data breaches, including this one.
The process is based on several linked steps. First, the user writes their email in the search field provided by the company. The system then sends a verification code to that same address to ensure the person querying the mailbox has control over it. Only after correctly entering this code are the results displayed.
If the tool detects matches, it clearly indicates that Personal information has been exposedIt also shows which specific incidents the email has appeared in and what type of data has been compromised. This makes it possible to determine whether the risk is related exclusively to Instagram or if the email was also leaked due to previous breaches.
It is worth remembering that these types of checkers do not solve the problem on their own, but they are useful for making decisions: change passwordsReview suspicious access or even consider unlinking certain addresses from services that are considered sensitive.
Practical steps to strengthen your Instagram account
Beyond the debate about the exact origin of the leak, there are a number of basic safety measures Any user in Spain or the rest of Europe can and should start applying these measures now. The first is to change your Instagram password directly from the app or website, without following links received via email.
In the mobile app, the process involves entering the profile, opening the three-line menu, and going to “Account Center”, access the section of "Password and security" and select “Change password”. On a computer, the process is similar: from the settings menu, you access the same account center and choose the option to change your password. Ideally, you should set a password. long, robust and exclusive for Instagram, avoiding reusing it on other services and not repeating the most used password.
Another key step is to activate the Two-factor authentication (2FA)This way, even if someone obtains the password, they will still need an additional code to log in. It's preferable to use authentication apps (such as Google Authenticator, Authy, Bitwarden, or 2FAS) instead of SMS, as text messages can be intercepted or targeted by SIM spoofing attacks.
Within the same security section, it is possible to review the devices and sessions where the account is activeIf any mobile phone, tablet, or computer appears that you don't recognize, you can select it and remotely log it out, thus blocking potentially dangerous access. It's a quick check that's worth doing from time to time, especially if you notice any strange emails or notifications.
Finally, it's worth taking a look at the section “Instagram emails” which appears in the settings. There, the platform lists which messages it has actually sent in recent days, helping to verify whether a security email is authentic or, on the contrary, a fraudulent copy attempting to take advantage of the confusion generated by the leak.
The situation generated by the massive Instagram leak It combines several delicate elements: a massive database circulating on the dark web, conflicting accounts from a cybersecurity company and the platform itself, and millions of users exposed to increasingly sophisticated phishing campaigns. Although, according to indications, no passwords have been stolen nor has direct access to Meta's servers been confirmed, the volume of leaked personal information is enough that any oversight could result in lost accounts or privacy issues outside the app. Therefore, at this time, the wisest course of action is to proceed with caution, be wary of suspicious emails and links, and maximize the security options available within the application itself.
