Last updated 1 month ago
In January 2026, a dataset containing 17 million rows of public Instagram information was posted to a popular hacking forum. The scraped data included 6.2 million records with associated email addresses, along with usernames, display names, account IDs, and in some cases geolocation data and phone numbers. The breach exposed publicly accessible profile information but did not compromise passwords or other sensitive authentication data.
The data was obtained through scraping of Instagram's API, representing an unauthorized data harvesting operation. The incident involved the collection of publicly available user profile information through automated means rather than a compromise of protected systems or credentials. The scraped data appears unrelated to password reset requests initiated on the platform, despite coinciding in timeframe with such activities.
There is no evidence that passwords or other sensitive data were compromised in this incident. The breach represents exposure of public profile information rather than a system intrusion or credential theft.
Data allegedly scraped via an Instagram API
This incident demonstrates the risk of API scraping attacks against social media platforms with large user bases. Instagram's public API allowed harvesting of 6.2 million email addresses alongside profile data, highlighting the need for rate limiting, monitoring, and authentication controls even for 'public' APIs. The breach shows that seemingly public data aggregation at scale can still represent significant privacy exposure when combined with contact information.
Sign in to join the discussion.
Company
Industry
Location
Disclosed
Records Affected
Attack Vector