Executive Summary

A dataset containing the personally identifiable information (PII) of an estimated 17.5 million Instagram users has been leaked on the notorious hacker forum, BreachForums. The data, posted by a threat actor known as "Solonik," appears to have been collected through large-scale data scraping of Instagram's public-facing APIs rather than a direct breach of Meta's internal systems. The leaked information includes full names, email addresses, phone numbers, and user IDs. This exposure places millions of users at immediate risk of sophisticated phishing campaigns, SIM swapping, and identity theft. The incident is compounded by a reported spike in fraudulent password reset attempts against Instagram accounts, indicating that malicious actors are actively exploiting the leaked data.

Breach Overview

• Source of Leak: A threat actor named "Solonik" on BreachForums.
• Data Size: Approximately 17.5 million user records.
• Data Contents: Full names, email addresses, phone numbers, Instagram user IDs, and partial addresses.
• Method: The data was reportedly obtained via data scraping, an automated technique used to harvest large amounts of information from websites and APIs. This suggests a potential weakness in Instagram's rate-limiting or anti-bot protections that allowed the actor to query so many profiles.
• Date of Leak: The data appeared on BreachForums on January 7, 2026.

Following the leak, there has been a noticeable increase in malicious activity targeting Instagram users, particularly a wave of unsolicited password reset notifications. This indicates that other threat actors are using the email addresses and phone numbers from the leak to try to hijack accounts.

Technical Analysis

Data scraping is the primary technique behind this incident. It is distinct from a "hack" in that it doesn't necessarily involve bypassing security controls to access non-public data. Instead, it automates the process of collecting data that is already publicly or semi-publicly available.

• API Abuse: The scraper likely exploited a legitimate or poorly documented API endpoint that returns user profile information. By automating requests to this API with millions of different user IDs, the actor could compile the massive dataset.
• Failure of Protective Measures: The scale of this scraping operation suggests a failure of Instagram's defensive measures. Effective anti-scraping technologies typically include:
  • Rate Limiting: Restricting the number of requests a single IP address or API key can make in a given time.
  • Bot Detection: Using behavioral analysis and fingerprinting to identify and block automated scripts.
  • Data Obfuscation: Limiting the amount of PII returned by public-facing APIs.

MITRE ATT&CK TTPs

Impact Assessment

• Increased Phishing and Scams: With access to names, emails, and phone numbers, attackers can launch highly personalized phishing campaigns (spear-phishing) that are more likely to succeed.
• SIM Swapping Attacks: The availability of phone numbers linked to specific individuals increases the risk of SIM swapping, where an attacker tricks a mobile carrier into transferring a victim's phone number to a new SIM card, allowing them to intercept MFA codes sent via SMS.
• Identity Theft: The combination of PII can be used to impersonate victims, open fraudulent accounts, or as a starting point for more comprehensive identity theft.
• Account Takeover: The surge in password reset attempts shows that the data is being actively used to try to gain control of Instagram accounts for spam, fraud, or to demand a ransom.
• Reputational Damage to Meta: The incident raises questions about the effectiveness of Instagram's privacy safeguards and its responsibility to protect user data, even if it is publicly accessible.

IOCs

• Threat Actor: Solonik
• Forum: BreachForums

Cyber Observables for Detection

For platform providers like Meta:

Detection & Response

Recommendations for Instagram Users

1. Enable Strong MFA: The single most important action is to enable multi-factor authentication on your Instagram account. Crucially, use an authenticator app (like Google Authenticator or Authy) instead of SMS-based MFA, as this protects against SIM swapping attacks.
2. Change Your Password: Create a new, unique, and strong password for your Instagram account.
3. Be Vigilant: Treat all unsolicited emails or messages, especially those related to your Instagram account, with extreme suspicion. Never click on password reset links you did not request yourself. Manually navigate to instagram.com to reset your password if you are concerned.
4. Review Account Security: Check your Instagram account's login activity (Settings > Security > Login Activity) for any unrecognized sessions and log them out.

Mitigation

For Platform Providers (like Meta)

1. Strengthen Anti-Scraping Controls: Implement more sophisticated bot detection and stricter, adaptive rate limiting on all public-facing APIs that return user data. This is a form of D3FEND Application Configuration Hardening (D3-ACH).
2. Data Minimization: Review all API endpoints to ensure they only return the minimum data necessary for their function. Do not expose sensitive data like full email addresses or phone numbers through public APIs if possible.
3. Proactive Monitoring: Actively monitor for and disrupt large-scale scraping operations, rather than waiting for the data to appear on hacker forums.
4. Transparent Communication: Promptly and clearly communicate with users when a large-scale scraping incident is confirmed to have exposed their data, and provide clear guidance on protective measures.