Global Security Alert: Instagram Phone Numbers, User Data Advertised on Dark Web

A huge trove of Instagram user info, we’re talking about 17.5 million accounts, has reportedly appeared for sale on the dark web.

Personal information of users, such as phone numbers and emails, is out there, which basically means users are now more likely to get scammed.

From Leaked Data to Real-World Scams

Cybersecurity firm Malwarebytes raised the alarm. They discovered the dataset was actively being traded online. The data appears to have been scraped in late 2024. Sellers used region-specific sources and public APIs.

A seller using the name “Subkek” is marketing the information. Sample records show full phone numbers and email addresses. This isn’t just a privacy nuisance. It’s a direct security threat.

Malwarebytes reports a clear sign of misuse already; users whose info got leaked are being contacted by scammers via email, asking them to reset their Instagram password. This will help the criminals to bypass security measures when they’re attempting to take full control of accounts.

The personal details also enable hyper-targeted phishing. Scammers can craft messages that look incredibly legitimate. They might impersonate Instagram or Meta support. Having your real phone number makes their fake alerts much more convincing.

This weaponization of personal data is a direct consequence of corporate security failures, a risk tragically demonstrated when Condé Nast’s inaction led to the exposure of millions of WIRED subscriber records, putting them at similar risk of targeted attacks.

Instagram and Meta Yet to Confirm Source of Breach

For now, there has not been any official statement from Meta about a data leak or to confirm if there was indeed a security problem. So no one can say for sure if the data really came from Instagram. The data might also have been pulled from third-party service.

Security experts are currently trying to probe into the breach to find out more details. The priority is understanding how the information was compiled.

Here’s How to See If You’re Involved and Stay Safe

See if your account was in the leak ASAP; head to haveibeenpwned.com and type in the phone number or email r you use for Instagram. The service will check if your data appears in this breach. It also checks many other known leaks.

Also, review your Instagram account security directly. Go to your Login Activity settings within the app. Look for any unrecognized devices or locations. This could indicate unauthorized access.

This leak turns personal information into a weapon for fraud. The implications can be really serious and immediate. It gives criminals ingredients for identity theft and sophisticated phishing.

The risk is universal, impacting not just social media users but also communities through breaches of essential services, exemplified by the massive exposure of student and staff records in a major school district breach.

Going forward, assume some of your data is already in criminal hands. You should be very suspicious of any emails that tell you that your password needs to be changed. Click only on a link in an email you were expecting, and also after you might have verified the source of the email.

When trying to reset passwords, do it on the official Instagram app or website, not through any email links—those are risky. And remember to also turn on two-factor authentication to add an extra layer of security so that, should scammers get a hold of your password, they’ll still need authorization before they log in.

Meta’s response soon is important because users need clarity on how this happened.

Even if Meta eventually confirms the leak did not happen or you find out your info is not part of the leak, still keep an eye on your account security. Monitor your accounts for strange activity. This is now a standard part of using social media.