17.5 million Instagram accounts leaked through API scraping. Meta denies breach, but your data is on the dark web. Here's what actually happened.

Security Boulevard is a leading cybersecurity news and information portal, offering articles, analysis, and insights on cybersecurity threats, vulnerabilities, and best practices. From the latest trends in cyber threats to expert commentary on security technologies and compliance frameworks, Security Boulevard provides resources for security professionals, IT leaders, and business executives seeking to protect their organizations from cyber attacks and data breaches.

Security Boulevard

On January 7, 2026, a dataset of 17.5 million Instagram user records appeared on BreachForums, including names, emails, phone numbers, and partial location data. Meta denied any breach, claiming the data came from API scraping rather than a system compromise. The post explains how API scraping works—through distributed IP rotation, fake account creation, and exploiting endpoint vulnerabilities—and argues that the 'public data' defense is invalid because aggregation at scale transforms public information into a weaponizable surveillance dataset. Practical steps for affected users include enabling authenticator-app-based 2FA, auditing profile visibility, reviewing connected apps, and monitoring for phishing. The post also outlines what Meta should do: implement proper rate limiting, anomaly detection, user controls, and transparency. The broader argument is that weak API security is a systemic, economically-driven problem across social media platforms, and current breach notification laws don't adequately cover scraping incidents.

The Instagram API Scraping Crisis: When ‘Public’ Data Becomes a 17.5 Million User Breach

The Bigger Picture: API Security Is Broken