Security researchers reported a dataset of about 17.5 million Instagram user records circulating in underground forums while Instagram denied a platform breach but acknowledged a bug that allowed outsiders to trigger password‑reset emails. Firms warn the exposed contact data has driven phishing and account‑takeover attempts.

During the week of Jan. 11–17 cybersecurity monitors detected a large dataset—roughly 17.5 million Instagram user records—trading on underground forums and notification channels. Instagram stated there was no platform breach but confirmed a security bug that could allow external actors to trigger password‑reset emails or otherwise harvest contact data linked to accounts, creating an avenue for targeted social‑engineering attacks. Security vendors reported rapid abuse: attackers used exposed emails and phone numbers to craft convincing phishing campaigns, initiate password resets, intercept codes via SIM‑swap or voicemail techniques, and pursue account‑takeovers. The dataset's circulation enabled both mass spray campaigns and prioritized intrusions against high‑value targets, prompting account‑protection advisories from researchers. Observers urged multi‑factor authentication stronger than SMS, monitoring for unauthorized password‑reset activity, and rapid reporting of suspicious resets. The incident reinforces how collected contact metadata—even absent full credential dumps—can be weaponized for phishing, credential‑harvest, and SIM‑swap schemes that escalate into broader fraud and account compromise across social and financial platforms.