In January 2026, cybersecurity researchers reported that personal data belonging to approximately 17.5 million Instagram users was being circulated and traded on underground cybercrime forums and illicit data marketplaces. The dataset was discovered on invitation-only forums and dark web platforms commonly used by cybercriminal groups to exchange stolen databases, phishing resources, and access credentials.
According to researchers monitoring these forums, the dataset was advertised as an “Instagram user records dump” and was being shared either for direct sale, exchanged for other stolen data, or distributed to selected forum members to build reputation within cybercrime communities.
The exposed data reportedly includes Instagram usernames, full names, email addresses, phone numbers, user IDs, and other profile-related metadata. While no account passwords were included, the availability of personal and contact information makes the dataset highly valuable for large-scale phishing campaigns, impersonation attempts, spam operations, and automated account targeting.
Shortly after the dataset began circulating online, millions of Instagram users worldwide started receiving unsolicited password reset emails that they had not requested. Many users reported receiving multiple reset notifications within a short time, which led to widespread concern that Instagram might be experiencing an active breach or coordinated account takeover attempt.
Meta, Instagram’s parent company, responded by stating that there was no fresh compromise of its internal systems and no unauthorized access to its password databases. The company explained that the password reset surge was caused by external actors abusing the password reset feature using previously exposed or scraped user data, rather than hackers directly breaching Instagram’s infrastructure.
Despite Meta’s denial of a new breach, independent cybersecurity researchers and dark web monitoring teams confirmed that the dataset itself is real and actively circulating within cybercriminal networks. The data is reportedly being resold, redistributed, and reused for malicious activities across multiple underground platforms.
The resurfacing of this dataset and the resulting global password reset wave have made this one of the most visible and impactful user data exposure incidents reported in early 2026. The incident demonstrates how previously scraped or leaked data can continue to pose security risks long after the original exposure, especially when such data is repurposed and exploited at scale by threat actors.