Instagram user data leak raises alarm over privacy lapses

A large cache of personal information linked to 17.5 million Instagram accounts is being traded on dark web marketplaces, triggering renewed scrutiny of data protection practices at one of the world’s most widely used social media platforms. Cybersecurity researchers say the dataset, advertised by criminal brokers, contains usernames, email addresses, phone numbers and partial location details, information that could be exploited for identity theft, fraud and targeted phishing.

The exposure came to wider attention after Malwarebytes, a cybersecurity firm that monitors underground forums, flagged the listing publicly on X, the platform formerly known as Twitter. Analysts at the firm said the scale and apparent organisation of the sale suggested a structured data-harvesting operation rather than a one-off scrape, although the precise method used to obtain the records remains under investigation.

Instagram, owned by Meta Platforms, said it was examining claims about the dataset and assessing whether the information originated from its systems. The company has not confirmed a breach of its core infrastructure, a distinction that matters because some large datasets advertised online are compiled from older leaks, third-party apps, or aggressive scraping of publicly accessible profiles combined with data from other sources.

People familiar with cybercrime markets say the listing is being promoted as “fresh” and comprehensive, a marketing tactic that often drives higher prices. Even where some details are outdated, the combination of usernames with phone numbers or emails significantly increases the success rate of scams, particularly impersonation messages that mimic account recovery notices or brand promotions.

Security specialists note that Instagram’s vast user base makes it a frequent target for both scraping and credential-stuffing campaigns. Over the past few years, automated tools have been used to collect publicly visible profile data at scale, while compromised credentials from unrelated breaches are tested against social media accounts. When attackers gain access, they can extract private contact details or resell the accounts themselves.

Malwarebytes said its researchers had reviewed samples of the data circulating in criminal channels and found them to be internally consistent, though it cautioned that independent verification of the full dataset was ongoing. The firm urged users to treat unsolicited messages with suspicion and to avoid clicking on links claiming to reference account security issues.

The emergence of another large Instagram-linked dataset highlights broader challenges faced by social media companies in limiting data extraction without undermining legitimate use. Application programming interfaces, search functions and contact discovery tools have historically been abused to pull information at scale, prompting platforms to introduce rate limits and stricter access controls. Each tightening, however, tends to be followed by new workarounds developed by attackers.

For regulators, the incident adds to pressure on technology firms to demonstrate robust safeguards under data protection laws such as the European Union’s General Data Protection Regulation. Authorities have previously fined major platforms for failing to prevent the mass harvesting of user data, even when information was technically public, arguing that design choices can still facilitate abuse.

Privacy advocates argue that the repeated appearance of large datasets tied to social networks undermines user trust. Many people share contact details to enable account recovery or social features, not expecting those details to be aggregated and sold. Once circulated, such data is effectively impossible to retract, persisting across multiple forums and resale cycles.

Meta has invested heavily in automated detection of scraping and suspicious behaviour, using machine learning systems to identify abnormal access patterns. The company also promotes security tools such as two-factor authentication and login alerts, which can reduce the risk of account takeover even if contact details are exposed. Adoption of these measures, however, remains uneven across regions and age groups.

Law enforcement agencies in several countries monitor major dark web markets and occasionally seize infrastructure or arrest sellers, but the trade continues to migrate. Analysts say that takedowns tend to have a temporary effect, with vendors re-emerging under new aliases or platforms.