A significant data security incident has reportedly compromised the personal information of more than 17.5 million Instagram users, according to a new report from cybersecurity firm Malwarebytes. The alleged breach, first flagged on January 9, 2026, involves a dataset containing sensitive user details that is now being sold on the dark web.
What Data Was Exposed in the Instagram Breach?
The exposed dataset is said to include a trove of sensitive personal information. This encompasses usernames, physical addresses, phone numbers, and email addresses linked to the affected Instagram accounts. Malwarebytes discovered this leaked information during one of its routine scans of the dark web.
The antivirus software company linked this leak to an Instagram API exposure from 2024. They have warned that the availability of this data poses a severe threat, as cybercriminals can purchase and misuse it for malicious activities. The breach also explains a recent surge in user complaints about receiving unsolicited password reset emails from Instagram.
Implications and Risks for Users, Especially in India
The exposure of such login credentials and personal details opens the door to serious cyber attacks. Experts warn of increased risks of phishing attempts and complete account takeovers. A particularly dangerous tactic, known as credential stuffing, could also be employed, where hackers use the leaked credentials to attempt to log into users' accounts on other platforms and services.
This incident holds major significance for India, which is Meta's largest single market. According to Statista, India had approximately 480.55 million Instagram users as of October 2025, the highest in the world. The country is also home to over 500 million users on Meta's other platforms, Facebook and WhatsApp.
Under India's Digital Personal Data Protection (DPDP) Act, 2023, a user's phone number and email address are classified as 'personal data'. The Act defines a 'personal data breach' as any unauthorized processing or accidental disclosure that compromises data confidentiality. While the DPDP Rules were notified in 2025, key provisions requiring companies to notify users of breaches are not yet fully operational.
Official Response and User Protection Steps
At the time of the initial reports, Instagram's parent company, Meta, had not released an official statement addressing this specific incident. The social media giant was approached for comment, but its response is awaited.
In the meantime, cybersecurity experts strongly advise users to take immediate steps to secure their accounts. Malwarebytes has urged users to enable two-factor authentication (2FA) on their Instagram accounts without delay. Users should also review which devices are logged into their Instagram account via Meta's Accounts Center and log out any unfamiliar sessions.
This incident underscores the persistent vulnerabilities in data security even on major platforms and highlights the critical need for robust personal cyber hygiene as data protection laws evolve.
