Meta is facing heightened scrutiny after a confirmed security incident exposed the data of 17.5 million Instagram users. Cybersecurity firm Malwarebytes verified the breach, which includes usernames, email addresses, phone numbers, and partial physical addresses.
Security researchers say the stolen information is circulating on dark web forums, increasing the risk of account takeovers and targeted scams. The exposure has also caused confusion among users, as many received unsolicited password reset emails from Instagram’s official security address beginning January 8.
Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more. pic.twitter.com/LXvjjQ5VXL
— Malwarebytes (@Malwarebytes) January 9, 2026Although the emails originate from a legitimate domain, recipients did not request the resets. This sparked concerns about a system malfunction or a phishing campaign. Experts now believe the emails are likely linked to the breach, with threat actors using leaked data to initiate account recovery workflows or conceal more focused phishing attempts.
🚨Cyber Alert – Instagram breach exposes data of 17.5 million accounts
A major security breach affecting Instagram was discovered this week by Malwarebytes, revealing that 17.5 million user accounts were compromised.
The stolen data includes usernames, email addresses, phone… pic.twitter.com/4DrtPgXqm5
— Hackmanac (@H4ckmanac) January 10, 2026Investigators attribute the leaked dataset to a hacker using the alias “Solonik.” The data reportedly traces back to an API-related exposure from 2024, suggesting a technical weakness that may have remained undetected for months.
Read: Meta’s $2 Billion Manus AI Deal Faces Scrutiny From Chinese Regulators
As of now, Meta has not issued an official public statement addressing the breach or outlining remediation steps. Security specialists advise users to enable two-factor authentication, review recent login activity, and avoid clicking links in unexpected emails, even if they appear legitimate.
