A massive trove of Instagram user data has just bubbled back to the surface, putting millions of accounts back in the crosshairs, more than a year after the original leak was deemed dead and buried.
Approximately 17.5 million accounts have been affected by this latest wave after the data began circulating on a notorious hacker forum in early January 2026. According to a security alert from Malwarebytes, a hacker with the pseudonym “Solonik” is the one behind the leak. While this feels like a brand-new security flaw, experts believe the data actually stems from a misstep from 2024 – a misconfigured Instagram API that allowed criminals to grab massive amounts of profile information before Meta could close the breach.
When this first happened, attackers were able to quietly collect data for months. Ultimately, the database disappeared from the dark web, but its sudden return proves a frustrating reality of the digital age: Once your information is out, it’s out there forever.
The resurfaced “doxxing kit” is particularly nasty because it is so detailed
It’s not just usernames; This includes full names, email addresses, phone numbers and even physical home addresses. This is a goldmine for cybercriminals as it allows them to bypass generic spam and launch incredibly convincing, targeted attacks. Malwarebytes is already seeing a rise in scammers posing as Instagram support to trick people into giving up their login details.
However, the cleverest part of this attack is the password reset scam. Instead of sending a fake, sketchy-looking email, hackers actually trigger real password reset requests from Instagram’s own servers. You receive a legitimate email from a “meta.com” or “instagram.com” address, you panic because you think someone is in your account, and in that moment of confusion you are much more likely to fall for a follow-up phishing text or phone call.
Since January 11, 2026, Meta has maintained silence on this matter
Although the impact has been most noticeable in Europe so far, the risk is global – especially for anyone who uses the same password for Instagram as their bank or email address.
The advice from security pros is simple but non-negotiable: change your password now, make sure it’s unique, and for heaven’s sake turn on two-factor authentication (preferably via app rather than SMS). This latest leak is a stark reminder that even if a company fixes a bug, the data it steals can always come back to haunt you.
