Instagram allegedly suffered a data breach in which personal data belonging to over 17.5 million Instagram accounts was exposed to cybercriminals.
The purported security incident was first reported by Malwarebytes, an antivirus software firm, on January 9. While the potential incident is related to an Instagram API exposure from 2024, Malwarebytes said that “data is available for sale on the dark web and can be abused by cybercriminals.”
The exposed dataset includes usernames, physical addresses, phone numbers, email addresses, and more. In an email to its customers, Malwarebytes said that it discovered the leaked dataset during a routine dark web scan. The cybersecurity firm’s finding comes amid multiple user complaints about receiving several emails from Instagram on password reset requests. According to Malwarebytes, the leaked information is behind this issue.
Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more. pic.twitter.com/LXvjjQ5VXL
— Malwarebytes (@Malwarebytes) January 9, 2026
It warned that exposure of login credentials and other user info could lead to more serious attacks like phishing attempts or account takeovers. Hackers could also use the leaked information to log into user accounts on other platforms. This type of cyber attack is known as credential stuffing.
Instagram parent Meta has not released an official statement about the latest incident at the time of publication. The Indian Express has reached out to the social media giant for comment and will update this report with its response.
India is the country with the most number of Instagram users (around 480.55 million as of October 2025), according to Statista. It is also home to more than 500 million Facebook and WhatsApp users, making it Meta’s largest single market.
For context, a user’s phone number and email address is classified as ‘personal data’ under the Digital Personal Data Protection (DPDP) Act, 2023which defines ‘personal data breach’ as “any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.”
In November last year, the Ministry of Electronics and Information Technology (MeitY) notified the DPDP Rules, 2025, paving the way for India to have a functional data protection law. While certain provisions of the law such as the Right to Information (RTI) Act amendment and establishment of the Data Protection Board (DPB) of India are currently in force, other sections pertaining to safeguarding citizens are yet to come into effect.
For instance, the requirement for entities to seek informed consent from users before processing their personal data, using their personal data only for specified legitimate uses, and for entities to notify data breaches to users, will only be operationalised after 18 months. Though, the compliance timeline may vary for big tech companies and start-ups.
Meanwhile, users can safeguard themselves by reviewing what devices are logged into their Instagram account via Meta’s Accounts Center. “If you haven’t enabled two-factor authentication on your Instagram account, today is a great day to do so,” Malwarebytes wrote in a post on X.
Comments are closed.