The digital walls of Instagram are looking a bit porous. As of Monday, January 12, 2026, a massive dataset containing the personal info of 17.5 million users is floating around the dark web.
Add businessleague.in as a Preferred Source
The thing is, if you’ve been getting random “Password Reset” emails at 4:00 AM, you’re likely on the list. Or nothing. Let’s be real, even though Meta is currently downplaying this as a “technical loophole” and not a “breach,” the data is very much out there. Those too.
Also Read |Tamil Nadu Voter List Purge: 97 Lakh Names Deleted in SIR Phase 1
The “Solonik” Leak Log: Field Notes
It’s an ongoing situation where your phone number and email are now basically public property for anyone with a Tor browser.
The “Solonik” Drop: On January 7, a threat actor named “Solonik” posted the motherlode on BreachForums. The thing is, they labeled it as a “2024 API Leak.” This suggests it wasn’t a smash-and-grab on Meta’s servers yesterday, but a slow scraping of their API from two years ago that’s just now being released for free.
The Meta Denial: Meta officially stated they “fixed an issue that let an external party request password reset emails.” The thing is, they insist their core systems are “secure.” But here’s the kicker: just because their servers weren’t hacked doesn’t mean your data isn’t in a hacker’s hands. The emails you’re seeing are hackers using that leaked list to see which accounts they can “brute force” into.
What’s in the Bag: We’re talking usernames, full names, verified emails, phone numbers, and even partial physical addresses. The thing is, while your password wasn’t leaked, this is a goldmine for SIM swapping and phishing.
The Wave: Thousands of users on Reddit and X are reporting 5–10 reset requests a day. It’s an ongoing situation where the hackers are trying to overwhelm you into clicking “Yes” just to make the notifications stop.
Also Read |Tamil Nadu Voter List Purge: 97 Lakh Names Deleted in SIR Phase 1
Instagram Security Checklist: Jan 2026
[Table: Action Plan for Affected Users]
| Action | Priority | Why You Need To Do It |
| Ignore Reset Emails | CRITICAL | If you didn’t ask for it, don’t click it. |
| Switch to App-Based 2FA | HIGH | Move away from SMS 2FA to prevent SIM-swap hacks. |
| Check “Login Activity” | MEDIUM | See if any weird devices are logged in from “Moscow” or “Dubai.” |
| Change Your Password | MEDIUM | Do it manually through the app, not via an email link. |
And Here’s the Kicker…
The timing is brutal. India, which has nearly 480 million Instagram users, is the most targeted region in this leak. The thing is, with the DPDP Act (2023) still in its “phasing in” period, Meta might not even be legally forced to notify individual users about this for another few months.
It’s an ongoing situation where Malwarebytes is offering a “Digital Footprint” scan to see if your email is in the Solonik dump. If you’re a creator or business owner, your risk profile just went through the roof. Don’t trust any DM that says “Your account will be deleted for copyright”—it’s almost certainly a follow-up to this leak.
Also Read |Tamil Nadu Voter List Purge: 97 Lakh Names Deleted in SIR Phase 1
End…
Add businessleague.in as a Preferred Source
