Personal information of more than 17.5 million Instagram accounts is said to be being publicly offered for sale on the dark web, raising major concerns about network security and the privacy of global users. The incident was discovered by Malwarebytes, a software company specializing in anti-malware.
According to Malwarebytes, the leaked data may be related to an Instagram API vulnerability that appeared in 2024. Although the incident has not been officially confirmed by Meta (Instagram's parent company), the data has now appeared on dark forums, where cybercriminals often trade information to serve illegal activities.
The leaked data set is said to contain a lot of sensitive information such as usernames, phone numbers, email addresses, and even home addresses.
Malwarebytes said they discovered this data during a periodic dark web scan and warned customers immediately afterwards.
Notably, the incident took place in the context that many Instagram users reflected continuously receiving emails requesting to reset their passwords even though they did not proactively do so.
According to cybersecurity experts, this may be a direct consequence of the leaked login information and being exploited by hackers.
Malwarebytes warns that personal data leaks are not limited to the risk of losing Instagram accounts. Hackers can use this information to carry out phishing attacks or "confidential stuffing", a technique that uses the same pair of emails and passwords to try logging into many different platforms.
Malwarebytes recommends that users check devices that are logging into Instagram accounts through Meta's Account Center and activate two factor authentication.
If you haven't turned on two factor authentication, today is the right time to do it," the company emphasized.
