Instagram 2026 Data Breach

Instagram API Data Scrape (2026): 6.2 Million User Emails, Phone Numbers & Location Data Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

Data ScrapingSocialDisplay NameEmail AddressGeographic LocationPhone NumberUsername
Low SeverityWebsite / service breach

Instagram API Data Scrape (2026): 6.2 Million User Emails, Phone Numbers & Location Data Exposed

Social media platform for photo, video, and messaging features.

Verified by ObscureIQ Intelligence
34/100Breach Risk Index
4Data Value
60Market Recency
106dSince Breach

Breach Intelligence Summary

Entity: Instagram · Actor: Unknown · Sources: 5 references
Attack: Data Scraping
Profile: Platform · Social media and content sharing · Mobile-first social platform · Global
Timeline: Breach (2026-01-07) · Indexed (Jan 11, 2026) · Year (2026)
Exposure: 6.2M records · 5 fields: Display Name, Email Address, Geographic Location, Phone Number, Username
Status: Confirmed

Executive Summary

Instagram had 6.2 million user records exposed after data allegedly scraped through its public API was posted to a hacking forum in January 2026. The dataset totaled roughly 17 million rows of account information, including usernames, display names, account IDs, and in some cases geographic location data. Of those rows, 6.2 million contained associated email addresses, and a portion also included phone numbers. Instagram characterized the exposed data as publicly available profile information rather than the result of unauthorized system access. Some analysts believe the dataset may be partially recycled from an earlier 2024 scrape that circulated on BreachForums and was subsequently redistributed in modified form, a common pattern in breach markets. While usernames and display names are publicly visible by design, the inclusion of email addresses, phone numbers, and geographic locations raises the risk profile considerably. Those fields are not always intended to be publicly accessible and their combination creates a detailed profile that can be cross-referenced against other leaked datasets. Affected users face elevated exposure to phishing attempts, targeted harassment, account takeover attempts, and identity linkage through their social connections and posted content. Business accounts and creators are at additional risk of impersonation and fraud. No regulatory action or class-action litigation specific to this incident has been widely documented as of early 2026, and Instagram has not indicated it will issue individual notifications, given its position that no unauthorized system access occurred. For affected individuals, the practical risk is ongoing: scraped data does not expire, and once in circulation it is difficult to contain. Users whose email addresses or phone numbers were exposed should be alert to unsolicited contact, suspicious login attempts, and phishing messages that reference personal details.

ObscureIQ assessment: Exposure enables harassment, phishing, account takeover, and identity linkage through social graphs and content history. Creator and business accounts may also face impersonation and fraud.

Breach Impact

In January 2026 data allegedly scraped through an Instagram API was posted to a hacking forum. The dataset contained approximately 17 million rows of public Instagram account information including usernames, display names, account IDs, and in some cases geographic location data, of which 6.2 million rows included associated email addresses. Instagram characterized the exposed data as publicly available profile information rather than a system breach, consistent with its position that the data was harvested through API enumeration rather than unauthorized access. No regulatory action or class-action litigation specific to this incident has been widely documented in public sources as of early 2026.

About Instagram

Instagram is a photo and video sharing social media platform owned by Meta Platforms. Launched in 2010 and acquired by Facebook in 2012 for approximately $1 billion, it has grown into one of the world's largest social platforms with over two billion monthly active users. The platform generates revenue primarily through advertising sold against user content feeds, Stories, and Reels. Instagram is central to Meta's advertising business and influencer economy.

Why They Hold Your Data

Social-media platforms collect user identity, contact details, posts, messages, follower relationships, location-linked activity, ad-targeting signals, and creator or business account records.

Recent Developments

Instagram has continued expanding its short-form video and creator monetization features as Meta prioritizes the Reels format to compete with TikTok. The platform has faced ongoing regulatory scrutiny globally over teen safety, algorithmic harm, and data practices. Meta has invested in AI-powered content recommendation systems across Instagram's feed and discovery surfaces. The platform reached agreement with several state attorneys general over teen safety concerns.

Data Points Exposed

5 verified field types
Display Name
Email Address
Geographic Location
Phone Number
Username

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:High
Primary downstream threats:
  • SIM swap attacks where phone numbers are present
  • Targeted phishing campaigns using exposed email addresses
  • Doxxing risk from physical address exposure
Threat vectors:
  • Account tracking
  • Phishing, credential stuffing & account takeover
  • Pattern-of-life analysis & physical surveillance
  • SIM swapping, vishing & SMS phishing
  • Cross-platform tracking & credential stuffing

Recommended Actions

If you believe your information may be included:

Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the Instagram breach?

Instagram had 6.2 million user records exposed after data allegedly scraped through its public API was posted to a hacking forum in January 2026. The dataset totaled roughly 17 million rows of account information, including usernames, display names, account IDs, and in some cases geographic…

What data was exposed?

Verified fields include Display Name, Email Address, Geographic Location, Phone Number, Username.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
Have I Been Pwned
Record & field corroboration
Breach Index
DataBreach.com
Record & field corroboration
Cross-source
9ghz
Independent catalogue listing
Cross-source
DataViper.io
Independent catalogue listing
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation