Malwarebytes has discovered that hackers have stolen sensitive information from 17.5 million Instagram accounts. If your business uses Instagram for marketing, or if you or your team members have personal accounts, here’s what you need to know.
What Was Stolen?
The compromised data includes usernames, physical addresses, phone numbers, email addresses, and more. According to Malwarebytes, this information is already being offered for sale on the dark web, and cybercriminals are actively exploiting it.
Even more concerning: users are receiving legitimate password reset notifications from Instagram as attackers attempt to use the stolen data to take over accounts.
We’re Already Seeing This in the Wild
Just last week, one of our clients received a suspicious email from Instagram asking them to confirm a new email address that had supposedly been added to their account—except they never added it. The email was legitimate (from Instagram’s actual domain), but the request wasn’t. Attackers were attempting to add their own email address to the account as a stepping stone to a full takeover.
Fortunately, our client recognized this as suspicious and contacted us immediately. But this breach confirms what we suspected: these attacks aren’t theoretical. They’re happening now, and they’re targeting real businesses.
Why This Matters for Your Business
This breach creates several risks for small businesses:
Phishing attacks: Cybercriminals can use the stolen information to craft convincing phishing emails that appear to come from Instagram or trusted brands. These attacks are designed to trick you into handing over passwords or other sensitive information.
Account takeovers: If your business Instagram account is compromised, attackers could damage your brand reputation, scam your followers, or lock you out entirely.
Credential stuffing: If you reuse passwords across multiple accounts (we know, we know—you shouldn’t), compromised Instagram credentials could give attackers access to other business systems.
What to Do Right Now
- Be skeptical of any unexpected Instagram notifications. Even if the email comes from Instagram’s legitimate domain, if you didn’t initiate the action (adding an email, resetting a password, etc.), don’t click through. Instead, go directly to Instagram.com and check your account settings.
- Reset your Instagram password immediately. Sign into your account and create a new, strong, unique password. Use a password manager if you aren’t already—it’s 2026, folks.
- Review your account’s authorized email addresses. Log into Instagram settings and verify that only your email addresses are associated with the account. Remove any you don’t recognize.
- Enable two-factor authentication (2FA). This adds an extra layer of protection even if your password is compromised.
- Notify your team. If multiple people manage your business Instagram account, make sure everyone is aware and taking precautions.
Pro tip: To check if your email has been exposed in this or other breaches, visit Have I Been Pwned—a trusted, free resource for checking breach exposure. (Note: This Instagram breach may not show up there yet, but it’s a good tool to bookmark.)
The Bottom Line
Data breaches like this are a reminder that cybersecurity isn’t just about protecting your business systems—it extends to every platform and tool your business relies on, including social media.
If you’re concerned about your business’s exposure or need help implementing better security practices, we’re here to help.
Source: Malwarebytes Security Newsletter, January 2026
