If there’s one inalienable truth regarding hackers, it’s that you cannot always trust their word – these people are criminals after all, and are often prone to exaggerating or even outright lying about their claims.
This habit has caused quite a stir for Instagram and its owners, Meta, this last week, following one hacker’s claim that they had access to a relatively new 2024 data leak impacting more than 17 million users of the image-sharing platform.
A hacker going by the name of Solonik claimed to have the data in a January 7 post to a popular clear-web hacker platform, and this was later amplified by cyber security firm Malwarebytes, which said in a post to X that “Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more”.
While the implication is that the data is new and valid, another member of the same hacking forum had already shared the dataset in 2023, claiming that it was a scrape of Instagram’s data, though they did not know where it had come from.
Even the sample data provided by Solonik was identical to that shared almost three years prior. In essence, Solonik was simply repackaging an older dataset, a common practice among cyber criminals.
The matter was further complicated after many Instagram users reported receiving password reset requests, leading some observers – including Malwarebytes – to link the two alleged incidents. Instagram rushed to deny any breach, though its statement was far from assuring.
"We fixed an issue that allowed an external party to request password reset emails for some Instagram users," a Meta spokesperson said in a widely reported comment over the weekend.
"We want to reassure everyone there was no breach of our systems and people's Instagram accounts remain secure. People can disregard these emails and we apologise for any confusion this may have caused."
So while the 17-million user leak is quite literally old news, some mysterious third-party appears to have accessed Instagram’s internal systems. Nonetheless, even older data can still be utilised by scammers and hackers, so if you are an Instagram user, it’s probably a good idea to update your password and be on the lookout for any phishing attempts.
The dataset in question has also now been added to Have I Been Pwned’s email database.
In January 2026, data allegedly scraped via an Instagram API was posted to a popular hacking forum,” HIBP said in a January 11 post to the site.
The dataset contained 17M rows of public Instagram information, including usernames, display names, account IDs, and in some cases, geolocation data. Of these records, 6.2M included an associated email address, and some also contained a phone number.”
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.