What Happened
In January 2026, a dataset containing personal information from approximately 17.5 million Instagram accounts (instagram.com), allegedly scraped via an API vulnerability in late 2024 (with some sources tracing origins to 2022), was posted for free on dark web forums by a threat actor alias “Solonik,” exposing usernames, full names, user IDs, verified email addresses (affecting 6.2 million records), phone numbers, follower counts, countries, and partial location data but no passwords. The incident, highlighted by cybersecurity firms like Malwarebytes, coincided with widespread unsolicited password reset emails sent to users, which Meta attributed to a separate third-party exploit allowing mass reset requests rather than a direct systems breach, prompting the company to fix the issue and deny any core security compromise on January 11, 2026. While Meta insisted accounts remained secure and urged ignoring the emails, experts warned of heightened risks for phishing, SIM swapping, and identity theft due to the detailed PII now circulating, recommending users enable app-based MFA and check for suspicious activity across linked Meta platforms.
