Critical

Instagram

In January 2026, data allegedly scraped via an Instagram API was posted to a popular hacking forum . The dataset contained 17M rows of public Instagram information, including usernames, display names, account IDs, and in some cases, geolocation data. Of these records, 6.2M included an associated ema...

Exposed data: Email Addresses Passwords Usernames Names Phone Numbers
Accounts Exposed 6,215,150
1K 100K 10M 1B+

Overview

In early 2026, a significant amount of Instagram user data was scraped and later posted online. The information was collected through a method that accessed public profiles via an Instagram interface, gathering details that users often have visible. While the breach did not compromise Instagram’s internal systems or expose passwords, it resulted in the personal data of over 6.2 million users being compiled and shared on a hacking forum. This incident highlights the risks of information being collected from public profiles on social platforms.

What Was Exposed

The dataset included information typically found on a public Instagram profile. For the 6.2 million most affected users, the exposed data includes:

  • Usernames, Display Names, and Account IDs: Your public Instagram handle and the name you display.
  • Email Addresses: The email account linked to your Instagram profile was exposed for these users.
  • Phone Numbers: For a subset of users, the phone number associated with the account was also included.
  • Geolocation Data: Some records contained location information, likely from past posts or profile data.

Importantly, private messages, financial information, and account passwords were not exposed in this incident.

Potential Impact

Having this combination of data publicly available increases your risk of targeted scams and harassment. Cybercriminals can use your email, name, and username to craft convincing phishing emails or messages pretending to be from Instagram or other trusted services. If your phone number was exposed, you may experience an increase in spam calls and SMS phishing attempts (smishing). The inclusion of geolocation data could pose a physical safety or stalking risk in extreme cases. This data can also be used for identity theft research or to hijack other online accounts if you use similar usernames or email addresses elsewhere.

Recommendations

  1. Change Your Instagram Password: As a general security practice, update your Instagram password to a strong, unique one that you do not use on any other website or app.
  2. Enable Two-Factor Authentication (2FA): Add this critical extra layer of security to your Instagram account immediately. Go to Settings > Security > Two-Factor Authentication and set it up using an authentication app for the strongest protection.
  3. Be Vigilant Against Phishing: Be extremely cautious of any emails, texts, or direct messages that claim to be from Instagram, especially those asking for personal details or urging you to click a link. Always verify the sender’s authenticity.
  4. Review Your Profile Privacy: Consider making your Instagram account private and review what information is visible on your public profile. You can adjust these settings under Settings > Privacy.
  5. Use Unique Passwords: Ensure your email account linked to Instagram has a strong, unique password. If you reuse this password elsewhere, change it on those other accounts as well.

How to Check If You’re Affected

The breach has been reported to the free service Have I Been Pwned. You can visit their website and enter your email address to check if it appears in this or any other known data breach. If your email is listed as part of this Instagram incident, you should follow the recommendations above.