Instagram’s 17 Million User Data Leak Was Just Scraped Records from 2022

On January 9, Malwarebytes announced it had tracked a data breach involving the Meta-owned platform Instagram, claiming hackers had leaked data from 17.5 million accounts online. The leaked information included usernames, physical addresses, phone numbers, email addresses, and more. However, this claim, which implied a recent incident, is inaccurate. Hackread.com’s investigation confirms that while the data is real, cybercriminals did not steal it recently.

Malwarebytes was referring to a BreachForums post published on January 7, 2026, by a user going by the alias Solonik, titled “INSTAGRAM.COM 17M GLOBAL USERS – 2024 API LEAK.” This post claimed the data was from a 2024 breach. In reality, Hackread.com confirmed it was a repackaged scrape originally collected in 2022. The same data was first leaked on BreachForums in June 2023 by a user known as “vanz,” and also surfaced on another forum, LeakBase. Labeling it as a 2024 leak was a deliberate move to rebrand stale data as new.

After reports of the leak resurfaced, some users began receiving password reset emails from Instagram. On January 11, 2025, Instagram addressed the claims, denying any breach but acknowledging that an issue had allowed an external party to trigger password reset emails to some users. Instagram tweeted: “We fixed an issue that let an external party request password reset emails for some. There was no breach of our systems, and your accounts are secure. You can ignore those emails.”

Although the leaked data is old, it contains real information that scammers can use to launch phishing and smishing campaigns. Instagram users should be alert for suspicious emails and verify any password reset requests directly through the app or website. Recycled data can still cause damage years after it first leaks.

To read the complete article see: Hackread\n