Instagram allegedly suffered an information breach wherein private information belonging to over 17.5 million Instagram accounts was uncovered to cybercriminals.
The purported safety incident was first reported by Malwarebytes, an antivirus software program agency, on January 9. Whereas the potential incident is expounded to an Instagram API publicity from 2024, Malwarebytes mentioned that “information is out there on the market on the darkish internet and will be abused by cybercriminals.”
The uncovered dataset consists of usernames, bodily addresses, telephone numbers, electronic mail addresses, and extra. In an electronic mail to its clients, Malwarebytes mentioned that it found the leaked dataset throughout a routine darkish internet scan. The cybersecurity agency’s discovering comes amid a number of person complaints about receiving a number of emails from Instagram on password reset requests. Based on Malwarebytes, the leaked info is behind this concern.
Cybercriminals stole the delicate info of 17.5 million Instagram accounts, together with usernames, bodily addresses, telephone numbers, electronic mail addresses, and extra. pic.twitter.com/LXvjjQ5VXL
— Malwarebytes (@Malwarebytes) January 9, 2026
It warned that publicity of login credentials and different person data may result in extra critical assaults like phishing makes an attempt or account takeovers. Hackers may additionally use the leaked info to log into person accounts on different platforms. This sort of cyber assault is called credential stuffing.
Instagram mother or father Meta has not launched an official assertion in regards to the newest incident on the time of publication. The Indian Specific has reached out to the social media large for remark and can replace this report with its response.
India is the nation with essentially the most variety of Instagram customers (round 480.55 million as of October 2025), in response to Statista. It is usually residence to greater than 500 million Fb and WhatsApp customers, making it Meta’s largest single market.
For context, a person’s telephone quantity and electronic mail tackle is assessed as ‘private information’ below the Digital Private Knowledge Safety (DPDP) Act, 2023, which defines ‘private information breach’ as “any unauthorised processing of non-public information or unintentional disclosure, acquisition, sharing, use, alteration, destruction or lack of entry to non-public information, that compromises the confidentiality, integrity or availability of non-public information.”
In November final 12 months, the Ministry of Electronics and Data Expertise (MeitY) notified the DPDP Guidelines, 2025, paving the best way for India to have a purposeful information safety legislation. Whereas sure provisions of the legislation such because the Proper to Data (RTI) Act modification and institution of the Knowledge Safety Board (DPB) of India are presently in drive, different sections pertaining to safeguarding residents are but to return into impact.
Story continues beneath this advert
For example, the requirement for entities to hunt knowledgeable consent from customers earlier than processing their private information, utilizing their private information just for specified authentic makes use of, and for entities to inform information breaches to customers, will solely be operationalised after 18 months. Although, the compliance timeline might fluctuate for large tech firms and start-ups.
In the meantime, customers can safeguard themselves by reviewing what gadgets are logged into their Instagram account by way of Meta’s Accounts Middle. “If you happen to haven’t enabled two-factor authentication in your Instagram account, immediately is a superb day to take action,” Malwarebytes wrote in a submit on X.