Last updated 1 week ago
In January 2026, a dataset containing 17 million rows of public Instagram information was posted to a popular hacking forum. The data was allegedly scraped via an Instagram API and included usernames, display names, account IDs, and in some cases, geolocation data. Of these records, 6.2 million included an associated email address, and some also contained a phone number. The scraped data appears to be unrelated to password reset requests initiated on the platform, despite coinciding in timeframe. There is no evidence that passwords or other sensitive data were compromised.
Data allegedly scraped via an Instagram API and posted to a hacking forum
The breach highlights the risk of data scraping through public APIs. Security controls that should be reviewed include API rate limiting, monitoring for abnormal data access patterns, and implementing stricter access controls for public data endpoints. Organizations should also consider obfuscating or limiting the exposure of personally identifiable information through public APIs.
Company
Industry
Location
Disclosed
Records Affected
Attack Vector