Instagram Breach: 6.2M Accounts — Passwords Exposed

Overview

On January 15, 2026, a dataset containing over 17 million rows of scraped Instagram user profiles was posted to a popular hacking forum. Of those, 6,215,150 records included sensitive personal information such as email addresses, passwords, names, phone numbers, and usernames. The data, which was reported to Have I Been Pwned (HIBP) for verification, appears to have been collected by exploiting an Instagram API vulnerability or misconfiguration. The breach impacts both individual users and businesses with public-facing profiles.

What Was Exposed

The leaked data includes: emails (used for account recovery and login), passwords (in plaintext or hashed form, posing a credential stuffing risk), usernames, display names, and phone numbers. In some cases, geolocation data linked to posts or profile locations was also included. This combination of data makes users vulnerable to phishing attacks, SIM swapping, and targeted social engineering-particularly if the passwords were reused across other services.

How the Breach Happened

Attackers likely abused Instagram’s public-facing API endpoints to scrape user profile data in bulk. While Instagram restricts access to private accounts, public profiles were harvested via automated scripts. The scrape included metadata such as contact information that users inadvertently made public in their bios, comments, or linked accounts. This is not a new attack vector-similar scraping incidents have plagued social media platforms for years. However, the scale of this dataset-17 million rows-suggests the vulnerability was exploited over an extended period or automated across countless queries.

Account Takeover Risks

The most immediate threat is account takeover. With exposed passwords combined with usernames or emails, attackers can attempt credential stuffing across Instagram and other platforms. Even if the passwords are hashed, common hashing algorithms like MD5 or SHA-1 can be cracked quickly. Moreover, phone numbers and emails enable phishing attempts that appear legitimate because they reference real account details. For high-profile accounts with valuable followers or business links, this is a critical threat.

Identity Theft Risks

Phone numbers and geolocation data open the door to identity theft. With a phone number, attackers can attempt SIM swapping to hijack SMS-based two-factor authentication or gain access to linked services. Geolocation data can be used to profile users’ routines, enabling physical stalking or targeted social engineering. For celebrities, public figures, or influencers whose physical location is not widely known, this data is particularly dangerous.

How to Check If You’re Affected

You can verify whether your Instagram account is in this leak by visiting haveibeenpwned.com and searching your email address or phone number. If you are affected, change your Instagram password immediately and enable two-factor authentication (preferably via an authenticator app rather than SMS). Review your account’s public information: remove email addresses, phone numbers, or location data from your bio or linked accounts. Consider using a password manager to generate unique passwords for each service.

Security Insight

This breach underscores a persistent blind spot in social media platforms: public APIs are designed for accessibility, not security. Instagram’s failure to rate-limit or cap scraping queries allowed attackers to harvest millions of records with minimal effort. Comparable scraping incidents-like the 2021 Clubhouse API scrape or the 2023 LinkedIn profile dump-show that platforms rarely treat public data as sensitive, even when it includes contact information. The lesson is that users should treat all public platform data as potentially permanent and act accordingly by locking down bios and linked accounts.

Further Reading

• Instagram Expolits (2017-2024): 87k Records Allegedly Leaked
• All Critical Breaches
• Recent Data Breaches