Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Cybersecurity company Malwarebytes just noticed something nasty happening on the dark web:
Cybercriminals stole sensitive information from 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more. This data is available for sale on the dark web and can be exploited by cybercriminals.
— Malwarebytes (@malwarebytes.com) January 9, 2026 at 8:34 a.m.
Have you recently received unexpected password reset emails from Instagram? If the comments on a Reddit post about this violation from a few hours ago are an indication, you are not alone.
It appears that the physical addresses, phone numbers, email addresses and other information attached to the accounts of 17.5 million Instagram users are available for sale in sketchy parts of the Internet.
Apparently Malwarebytes conducts dark net scans for items like this and speculates that this cache of personal data is related to a 2024 API breach that likely allowed an attacker to extract Instagram information.
Here are some steps you can take to ensure your information is secure:
- Reset your password now
- Enable two-factor authentication if you haven’t already done so
- Permanently delete all social media accounts from all platforms
So far, Instagram doesn’t appear to have released a statement on the matter. Gizmodo has contacted Meta for comment and will update if we receive a response.
