Instagram users are currently facing growing concerns about the leakage of sensitive personal data after cybersecurity firm Malwarebytes revealed that millions of accounts were being sold on the dark web, coinciding with a widespread and unusual surge in password reset messages.
What exactly happened?
According to a Malwarebytes report (published on their website and cited by sources such as 9to5Mac on January 13, 2026), data from 17.5 million Instagram accounts was leaked, including:
- Usernames
- Associated email addresses
- Phone numbers (if linked)
- Other information commonly used for phishing or account reuse.
This data appeared for sale on dark web forums shortly after millions of users received password reset messages from Instagram, raising suspicions of a security breach.
Instagram's stance: No system breach
Instagram categorically denied any breach of its internal systems. In an official statement published on Tuesday, January 13, 2026, on the company's official X account, it stated:
"We have fixed an issue that allowed a third party to request password reset emails for some users. There was no breach of our systems, and your Instagram account is secure."
The company confirmed that the issue was in the application programming interface (API) that enables password reset requests and that it was fixed immediately upon discovery.
Possible Cause: API Vulnerability Discovered Since 2024
Malwarebytes investigations indicate that the leak is most likely linked to a known security vulnerability in Instagram's API, first reported in 2024, which allows third parties to send password reset requests in large quantities without needing access to the actual accounts.
In other words: Instagram's database was not compromised, but rather a vulnerability was exploited that allowed the collection of email addresses associated with accounts through repeated automated requests, and these lists were then sold to cybercriminals.
Urgent Security Tips to Protect Your Account
Instagram and security experts recommend the following steps immediately:
- Do not click on any links in password reset emails unless you initiated the process yourself within the app.
- Verify the email source: Official emails only come from addresses like security@mail.instagram.com or no-reply@mail.instagram.com.
- Enable two-factor authentication (2FA) if it isn't already enabled, and preferably use an authenticator app instead of text messages.
- Change your password directly within the app (not via email), and use a strong, unique password.
- Check connected devices: In Account Settings → Security → Login from Other Devices, and end any unfamiliar sessions.
There is no evidence of an actual breach of Instagram's database, but exploiting an API vulnerability led to the collection of a massive amount of email addresses associated with accounts, which were then sold on the dark web. The real danger now lies in phishing attacks that could exploit this data to try to steal accounts.
Be cautious and do not click on any suspicious links, even if the email appears official. Your account is safe as long as you do not grant anyone access to it yourself.
