Cybercriminals are distributing phone numbers of Instagram users in a massive dataset that may turn years-old leaks into a fresh Instagram account takeover.
-
A searchable dataset linking phone numbers to Instagram accounts has surfaced online, with a threat actor named S-Root claiming to sell it via Telegram.
-
It's likely recycled data, not a new breach. Cybernews researchers believe the dataset is a repackaged "combolist" — old leaked credentials adapted to target Instagram profiles through brute-force attacks.
-
Combo lists fuel credential-stuffing. Attackers feed stolen username-password pairs into automated tools that blast thousands of login attempts per minute. Even a 1–2% hit rate on a million entries yields thousands of hijacked accounts.
-
Phone numbers are especially dangerous when linked to profiles. They enable attackers to build detailed victim profiles, craft convincing phishing messages, and identify accounts tied to specific individuals or public figures.
-
Users should protect themselves by using unique passwords, enabling multi-factor authentication, and staying cautious of unsolicited messages that reference personal details.
A searchable dataset allegedly linking phone numbers to Instagram accounts has surfaced online, raising new fears for Meta users.
The claims on the hacker’s Telegram channel are especially alarming, as Meta has just admitted that over 20,000 Instagram accounts were compromised through the account recovery tool.
The database reportedly allows to search users and their phone numbers, potentially revealing associated Instagram profiles.
Stolen Instagram account information: Should you be worried?
The threat actor named S-Root has claimed to be selling the dataset. These claims raise questions about whether the social media platform suffered yet another breach or is linked to the recently reported Meta breach.
While such datasets may generate alarm, Cybernews researchers caution that the presence of user information does not necessarily indicate a fresh compromise of Instagram systems.
Our researchers say that it may not be a newly stolen database. A more convincing explanation is that threat actors repackaged a collection of older leaked information.
“This looks more like a combolist targeted for Instagram,” researchers explained. “Essentially, old leaked data was adapted to identify or brute-force Instagram profiles.”
A password combo list is a file, usually in plain text, that contains pairs of usernames or email addresses and passwords. The logic is simple. Rather than stealing new data, threat actors frequently aggregate information from previous breaches.
Also, the primary source of combo lists is stealer logs and ULP files harvested directly from infostealing malware, which scrape browser vaults, cookies, and autofill data.
Cybernews has previously reported on massive credential lists being leaked, like the Mother of all Breaches (MOAB), which contained 26 billion records, including LinkedIn, Twitter, Weibo, Tencent, and other platforms’ user data.
How can attackers weaponize combo lists?
After purchasing a combolist, attackers feed the combo list into credential-stuffing tools. OpenBullet, Sentry MBA, or Snipr – just to name a few candidates for the task. These tools can blast thousands of login attempts per minute. Even a 1–2% hit rate on a million-entry combolist results in thousands of valid logins.
After verifying the working credentials, attackers sell them as "verified combos" on dark-web marketplaces for as little as $2 per account, which fuels the next wave of attacks. A successful match triggers account takeover, leading to further theft of data.
According to IB-Group, threat actors often target consumer platforms such as Netflix, PayPal, and Amazon, as well as corporate portals that use Office 365 or CRM tools. For example, after the RockYou2021 that leaked 8.4 billion passwords, attackers used common password matches to bombard Office 365 portals.
Why do leaked Instagram users’ phone numbers matter?
Even if the currently listed Instagram dataset consists primarily of recycled information, phone numbers remain valuable to cybercriminals.
By linking phone numbers to social media profiles, attackers can build detailed profiles of potential victims and conduct more convincing phishing messages. The information may also help threat actors identify accounts associated with specific individuals or public figures.
Researchers note that attackers often take the process a step further by combining phone numbers with historical password leaks to find similar patterns and attempt account takeovers.
“Attackers also sometimes try to find the same email or user and have a list of passwords for that email, or generate new ones, for example, if the password list is “apple1”, “apple2”, it’s likely that some passwords will be “apple3”,” Cybernews researchers explained.
This shows that information exposed years ago can still remain valuable to cybercriminals.
What should users concerned about account security do?
- Use unique passwords
- Enable multi-factor authentication
- Remain cautious about unsolicited messages that reference personal information.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked