A large dataset tied to Instagram accounts has surfaced on hacking forums, and cybersecurity firm Malwarebytes says it includes contact details for around 17.5 million users, apparently harvested via an Instagram‑related API in 2024. One detailed report, “17.5 Million Instagram Accounts Exposed in Major Data Leak, says the file contains usernames, full names, email addresses, phone numbers, user IDs and partial location data, but no passwords or private messages.
Soon after the dataset was posted, users around the world began reporting password‑reset emails from Instagram that they had not requested, prompting concern that accounts were being taken over. Coverage of these “password reset attacks” notes that the emails themselves do not prove compromise, but that the leak gives scammers the raw material to send convincing fake security messages or impersonate Instagram support.
Meta has not confirmed the specific 17.5‑million‑record leak, and statements so far emphasize that its internal systems were not breached, while security writers describe the incident as large‑scale scraping or an “API leak” rather than a direct break‑in. Specialists recommend that users treat any unexpected reset email with caution, enable two‑factor authentication using an authenticator app, and consider changing their Instagram and email passwords, since the exposed contact details could still be used for phishing, SIM‑swapping or harassment even without leaked logins