Instagram Denies Breach After 17 Million Account Leak Sparks Panic

by Aaron Leong — Monday, January 12, 2026, 10:20 AM EDT

A massive database purportedly containing the personal information of over 17 million Instagram users has surfaced on a popular hacking forum, sparking widespread concern over the security of the social media giant’s infrastructure. Meta denies this "leak" is anything to be concerned about and says it's merely from a compilation of older data.

hack site — *Forum posting of supposedly stolen Instagram account data*

The controversy began when a threat actor claimed to have exfiltrated a massive cache of personal data from 17.5 million Instagram accounts and then offered it on several hacking forums for free. The leaked dataset allegedly includes details such as account usernames, full names, email addresses, phone numbers, and profile descriptions. In some instances, the data appears to include location information and specific account IDs.

Of course, this raised alarms, as the nature and sheer number represents one of the most significant potential exposures for the platform since 2019, where a breach involved 49 million users. It also got the attention of security firm Malwarebytes.

Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more. pic.twitter.com/LXvjjQ5VXL
— Malwarebytes (@Malwarebytes) January 9, 2026

Despite the alarm, Instagram has issued a firm denial regarding any compromise of its systems. Instagram told BleepingComputer that there hadn't been any leak. Instead, the company suggests that the data currently circulating online is likely a compilation of publicly available information gathered through scraping, where automated bots crawl through public profiles to harvest data that users have already made visible to the world. While this does not involve hacking into private servers or stealing passwords, it remains a violation of the platform's terms of service and poses a privacy risk by centralizing disparate pieces of information into a single, searchable database.

Now, even if the data was scraped rather than stolen, the danger to users is real. When phone numbers and email addresses, for example, are paired with real names, malicious actors can still conduct targeted phishing attacks, SIM swapping, or credential stuffing. Since many people reuse passwords across multiple sites, any leak can be in favor of the hackers. This may also tie-in with Instagram password reset requests that some users have reported receiving in the past few days (which, again, Instagram says don't worry).

We fixed an issue that let an external party request password reset emails for some people. There was no breach of our systems and your Instagram accounts are secure.

You can ignore those emails — sorry for any confusion.
— Instagram (@instagram) January 11, 2026

Still, it goes without saying that you should practice frequent digital hygiene to stay on top of current threats. Experts recommend that you update their passwords to unique, complex strings and, most importantly, enable two-factor authentication (2FA) using an authenticator app rather than SMS-based codes. Furthermore, users are encouraged to review their privacy settings to limit the amount of information visible to the public, thereby reducing the "surface area" available for future scraping bots.