Millions of Instagram Credentials Circulating on Dark Web: Alert for New Wave of Phishing

A vulnerability in the Instagram API of 2024 exposed over 17.5 million accounts, whose personal data now resurfaces on underground platforms. The compromised information includes usernames, email addresses, phone numbers, and metadata associated with profiles, posing an immediate threat to affected users.

The Origin of the Crisis: A Catastrophic Configuration Error

The breach originated from poor configuration in Instagram’s API systems, which allowed unauthorized extraction of millions of user profiles. Although the incident occurred in 2024, the reappearance of this data on the dark web in January 2026 has renewed the risk, turning old information into a valuable asset for cybercriminals.

Malwarebytes, the renowned cybersecurity company, was the one to identify this new distribution of compromised data on Breachforums and other illegal exchange platforms, publicly alerting about security implications.

The Real Danger: Sophisticated Phishing Campaigns

Attackers not only possess the personal data but have also found an ingeniously effective way to exploit it. They use the leaked information to send fraudulent emails that mimic password reset requests from Instagram. Since recipients recognize their real data in the messages, the success rate of these phishing campaigns increases significantly.

The volume of impersonation attempts has notably risen since the data reappeared on the dark web, with thousands of users reporting suspicious emails directed at their accounts.

Immediate Protection Measures

Malwarebytes recommends all potentially affected users take defensive actions without delay:

• Change passwords: Update your Instagram password and especially any account that reuses the same login credentials
• Enable two-factor authentication: This additional security layer significantly hampers unauthorized access attempts
• Verify account changes: Review recent activity and connected devices in security settings
• Be cautious of links in emails: Access Instagram directly through the browser instead of clicking on email links

Meta’s Silence

So far, Meta has not issued public statements responding to the reappearance of this data on the dark web nor provided information about additional measures it might be implementing to protect its users. This lack of response contrasts with the severity of the exposure and keeps users in uncertainty regarding future corrective actions.

The situation highlights the critical importance of personal security hygiene and reinforces that, regardless of the measures implemented by platforms, individual responsibility in credential protection remains fundamental.