A massive treasure trove of Instagram user data has just bubbled back up to the surface, and it’s putting millions of accounts back in the crosshairs more than a year after the original leak was thought to be dead and buried.
Roughly 17.5 million accounts are caught up in this latest wave after the data started making the rounds on a notorious hacking forum in early January 2026. According to a security alert from Malwarebytes, a hacker going by the handle “Solonik” is the one behind the leak. While this might feel like a brand-new security breach, experts say the data actually stems from a 2024 misstep – a misconfigured Instagram API that allowed bad actors to scrape massive amounts of profile info before Meta could plug the hole.
Back when this first happened, attackers were able to quietly harvest data for months. Eventually, the database vanished from the dark web, but its sudden return proves a frustrating reality of the digital age: once your info is out there, it’s out there for good.
The resurfaced “doxxing kit” is particularly nasty because it’s so detailed
It doesn’t just have usernames; it includes full names, email addresses, phone numbers, and even physical home addresses. This is a goldmine for cybercriminals because it allows them to move past generic spam and launch incredibly convincing, targeted attacks. Malwarebytes is already seeing a spike in scammers pretending to be Instagram support to lure people into handing over their login details.
The most clever part of this attack, however, is the password reset scam. Instead of sending a fake, sketchy-looking email, hackers are actually triggering real password reset requests from Instagram’s own servers. You get a legitimate email from a “meta.com” or “instagram.com” address, you panic thinking someone is in your account, and in that moment of confusion, you’re much more likely to fall for a follow-up phishing text or call.
As of January 11, 2026, Meta has stayed quiet on the matter
While the most visible impact has been in Europe so far, the risk is global – especially for anyone who uses the same password for Instagram as they do for their bank or email.
The advice from security pros is simple but non-negotiable: change your password now, make sure it’s unique, and for heaven’s sake, turn on two-factor authentication (preferably using an app rather than SMS). This latest leak is a blunt reminder that even if a company fixes a bug, the data stolen through it can come back to haunt you at any time.
