An massive data leak on Instagram This has set off alarm bells among users, cybersecurity experts, and European authorities. The personal data of approximately 17,5 million accounts They have ended up circulating on dark web forums, where they are shared and sold with virtually no control.
The situation is especially worrying because, although passwords haven't been leaked directly, the combination of personal data and account activity It allows cybercriminals to launch highly credible phishing campaigns, attempt to hijack profiles, and, in the most serious cases, carry out identity fraud and attacks that extend beyond the digital world. To reduce these risks, consult our Tricks to avoid being hacked on Instagram.
What is known about the massive leak of 17,5 million accounts
The alert was triggered when Malwarebytes, one of the leading cybersecurity companies, detected a huge database linked to Instagram users posted on cybercrime forumsThe collection, which contains around 17,5 million records, was reportedly compiled during 2024 and has been openly shared on platforms like BreachForums and other underground marketplaces. If you suspect your account has been compromised, consult [link to relevant section]. How to tell if my Instagram has been hacked.
According to the company's analysis, the database contains information associated with real social network profiles: usernames, email addresses, phone numbers, and partial physical addresses...in addition to other contact fields. In many cases, the records are presented in formats such as JSON or TXT, with structures very similar to API responses, which reinforces the hypothesis of a abuse or exposure of Instagram interfaces or connected services.
Malwarebytes and other independent analysts suggest that this data package may have originated from a Instagram API vulnerability or leak detected in 2024Access to poorly protected endpoints, poorly configured third-party integrations, or massive scraping using information accessible by country are among the possibilities considered by specialists.
Although the parent company, MetaWhile no detailed explanation has been offered regarding the specific source of this data dump, the fact that the data is circulating freely on the dark web and has even been published for free by certain actors makes this leak one of the most serious incidents the platform has faced in recent years. If your profile has been affected, see how recover your Instagram account.
What data has been leaked and why is it so sensitive
What makes this incident especially delicate is not just the number of accounts, but the type of information that has been exposedAccording to reports from Malwarebytes and other observers, the following appear combined in the logs:
- Instagram usernames, in many cases associated with public, professional or content creator profiles.
- Email addresses used as contact or account access.
- Telephone numbers linked to profiles, common in accounts that use SMS verification or commercial features.
- Complete or partial physical addresses, which allow the account holder to be placed in the real world.
- Other contact details and auxiliary fields, such as real names or additional information, that strengthen the ability to identify.
This mix breaks down the barrier between digital and physical: It's no longer just about an isolated email or an alias on social networksbut rather a fairly complete profile of the person behind the account. This greatly facilitates identity theft, both online and, in extreme cases, in offline transactions or interactions. Therefore, it can be helpful to review guides for erase your online footprint and minimize exposure.
Another important issue is that the Data is being distributed in segmented batchesThe results are organized by country, language, or number of followers, prioritizing high-visibility accounts such as influencers, businesses, and brands. This means the impact in Europe, including Spain, could be significant, as many professional profiles rely on Instagram for their daily operations.
Although passwords aren't among the filtered fields, the level of detail in the contact information greatly reduces the effort attackers need to try to access accounts. With an email address, phone number, and real name, it's relatively easy to craft convincing messages that lead the victim to hand over their password or approve security changes. That's why it's worth learning how to create more secure passwords and use key managers.
Conflicting accounts: what Malwarebytes says and what Instagram maintains
Following the publication of the data and its echo in the media and social networks, the following have been consolidated two main accounts of what happenedOn one hand, there's the version from Malwarebytes and other security experts who have analyzed the database; on the other, there's the official version from Instagram and Meta.
Malwarebytes describes the finding as a massive data breach affecting 17,5 million accounts, associated with an API exposure or systematic scraping carried out during the last months of 2024. The company speaks of a true “doxing kit”: an information package designed to identify, profile and, if necessary, harass or defraud the owners of the affected accounts.
On the opposite sidewalk, Instagram has tried to downplay the incidentThe platform maintains that there has been no unauthorized access to its servers and that its systems have not been hacked. In its statements, the company acknowledges a software issue that may have allowed third parties to access its servers. trigger password reset emails to certain users, but insists that the accounts remain secure and that there has been no direct breach of its databases.
This technical nuance, however, does not solve the core of the problem: Personal information is already circulating on the dark web. and is being used for potentially criminal activities. The various accounts focus more on the exact origin of the failure and the platform's responsibility than on the practical reality that users now face.
Meanwhile, in European online communities, forums, and social networks, testimonies are multiplying from people who have seen how, in a matter of days, they began to receive several password change emails. suspicious access alerts or messages that perfectly mimic Instagram's official style and design.
The dark web as a marketplace: how your data is traded
Once a dataset of this size enters the circuits of the dark web, Control over its dissemination is lost virtually forever.According to reports, some of the database has been offered for sale, while certain actors have chosen to share it for free to gain reputation within cybercrime communities. This type of exposure often leads to... harassment and doxing campaigns against vulnerable users.
In this environment, packages are classified by criteria such as country, language, number of followers, or account typeThus, a batch made up of highly visible European profiles, for example from Spain, France or Germany, has a particularly attractive value, since it can be exploited for localized campaigns, more credible scams or attacks directed at companies and creators with income linked to the platform.
Cybercriminals combine these files with other public sources or previous leaks, building very detailed profiles of each userWith that information, it becomes easier for them to connect accounts across different networks, locate professional profiles on LinkedIn, track corporate emails, or even cross-reference data with leaked records from financial services and e-commerce.
One of the threats most frequently mentioned by specialists is the possibility that this data could be used for identity fraud, SIM swapping, or high-level social engineering attacksFor example, knowing the phone number and operator, one can attempt a SIM swap to intercept verification SMS messages, or contact the victim pretending to be their bank, a messaging service, or even Meta support.
All of this means that, beyond the initial shock, the risk persists over timeThe leak is not a one-off event that can be "fixed" with a patch: the data is already out there and can reappear in new scam campaigns months or years after it was made public.
Wave of password reset emails: what's going on
One of the most visible symptoms of this incident is the wave of password reset emails that users around the world have been reporting since the beginning of 2026. Many people, including accounts with thousands or millions of followers, have received several messages in a few days asking to confirm a password change they never requested.
In some cases, it is about legitimate emails sent by Instagram's own systemsThese messages are likely triggered by bots or malicious scripts testing addresses associated with the massive data breach. In other cases, the messages mimic the official design but include links that lead to fraudulent pages where the user is asked to enter their password or additional information.
This mix of real and fake emails creates confusion and security fatigue: The more notifications of this type you receive, the easier it is to let your guard down. and end up clicking on a link without thinking too much about it. That's why experts insist on not interacting with buttons included in emails, even if the sender seems legitimate.
The general recommendation is very clear: if you receive a password reset notification that you did not request, Ignore the message, don't click on the link, and check the official app or website directly.If there really is a problem with your account, you can check it from Instagram's security settings, without relying on that email, and if necessary change instagram password from the app.
In Spain and the rest of Europe, where Instagram use is widespread among teenagers, young adults, and digital economy professionals, this type of campaign can to have a particular impact on people less accustomed to detecting online fraud or in small businesses that manage the social network in a more informal way.
How to check if your email is affected
With the leak now confirmed by various industry players, many users are logically wondering if Your email address or other details are listed in the database of 17,5 million accounts.Malwarebytes has made available to anyone a free tool that allows you to perform an initial check.
The process is quite simple: you insert the email address linked to the Instagram accountA code is received in that same email and entered on the tool's website. From there, the system checks if that address is associated with known data breaches, including the Instagram one, and shows, if so, what type of data may have been exposed.
Although these types of services are not infallible, they do help to have a clearer view of the exposure levelIf your email address appears in one or more incidents, it's advisable to assume that any password associated with it may be at risk and act accordingly, starting by updating passwords and reviewing active logins.
For users in the European Union, where the General Data Protection Regulation (GDPR) requires companies to report relevant security breachesIt is likely that in the coming weeks we will see more explanations and, perhaps, specific communications if it is confirmed that specific European accounts have been particularly damaged.
In any case, whether the tool indicates exposure or not, experts agree that It is worth reinforcing securitybecause the email or phone number may have been compromised in other services and end up being used in attacks related to Instagram.
Urgent steps to protect your Instagram account
Although the technical origin of the leak remains under debate, there are a number of practical steps that any user can apply right now to reduce risks. They don't require extensive knowledge and make a clear difference compared to more common attacks.
The first move should be Change your Instagram password from within the app or from the official websitewithout using links received via email. In the app, you can do this from your profile by going to “Settings and Activity” > “Account Center” > “Password and Security” > “Change Password.” On a computer, the path is similar through the settings menu; here's how. Change your password on Instagram.
When choosing a new password, experts recommend opting for one a long password, difficult to guess, and not used on any other serviceIdeally, you should manage them with a password manager, so you don't end up resorting to easy-to-remember combinations that are also easy to break.
The second major pillar is to activate the Two-factor authentication (2FA)From the same "Password and Security" section, you can choose between receiving codes via SMS or using specific authentication apps. Most experts suggest avoiding SMS whenever possible, because the phone number itself can be targeted by attacks such as SIM swapping.
Applications like Google Authenticator, Authy, Bitwarden, 2FAS, and similar options generate temporary codes that are constantly renewed. This way, even if someone manages to get hold of your password, they would still need that second factor to log in, greatly reducing the likelihood of them gaining access to your account.
Extra steps: open sessions, suspicious emails, and security habits
In addition to the basic measures, there are a number of complementary actions that should be reviewed carefully If you suspect that your data may be part of the leak or if you have started receiving strange emails.
On the one hand, it is advisable to review the devices where your account appears logged inFrom the "Account Center" and the security section, Instagram displays a list of phones, tablets, and computers with active sessions. If you detect a device you don't recognize, or one you no longer use, the best course of action is to log out from there.
It is also useful to take a look at the section “Instagram emails"within the app settings. This section compiles recent messages that the platform has actually sent, allowing you to better distinguish between official announcements and fraudulent emails that simply use similar logos and designs."
Regarding mail, the golden rule is very clear: Do not click on links or download attachments from messages that ask for credentials or personal information.Even if they appear to be from Instagram, Meta, your bank, or any other known entity, if something seems suspicious, open the official app or website directly and check there for any pending notifications.
Finally, it's worth reviewing what Third-party apps and services have access to your Instagram accountSome legitimate analytics, publishing, or network management tools require permissions, but others may be outdated or not particularly reliable. Revoking access to what you no longer use reduces the number of potential entry points.
This whole incident makes it clear to what extent the data we share on social media can end up circulating in places we never imagined, and why it's so important to keep it safe. good digital security practices Beyond a single leak, the exposure of 17,5 million Instagram accounts, along with emails, phone numbers, and addresses circulating on the dark web, serves as an uncomfortable but useful reminder: it's wise to review passwords, enable two-step authentication, and be wary of any message requesting sensitive information, no matter how legitimate it may seem.
