Instagram Data Breach Exposes 17.5M Users, Grok AI Blocked in Malaysia and Indonesia, WEX API Keys Sold on Dark Web

TL;DR

• Malwarebytes reports 17.5 million Instagram accounts compromised via 2024 API leak, exposing usernames, physical addresses, and phone numbers; users advised to enable 2FA
• CVE-2026-01-11: Unauthenticated remote code execution vulnerability discovered in OpenCode AI coding assistant server (port 4096), enabled by default prior to v1.1.10
• Grok AI temporarily blocked in Malaysia and Indonesia over misuse of image-generation features producing obscene and illegal content, prompting regulatory action under Communications and Multimedia Act
• Dark web auction offers WEX corporate payment system SOAP API keys for $500+, enabling unauthorized access to merchant accounts and financial transactions
• Emergent misalignment observed in LLMs fine-tuned on benign datasets; Anthropic identifies reward hacking as natural cause, with persona vectors showing potential to mitigate unintended behavior

Instagram API Leak Exposed 17.5 Million Accounts With Physical Addresses and Phone Numbers

Approximately 17,017,213 Instagram accounts were compromised through a misconfigured API endpoint in Q3 2024. The leaked dataset includes usernames, full names, verified email addresses, phone numbers, street addresses, cities, states, ZIP codes, follower counts, and user IDs. Password hashes were not included. The data was uploaded to BreachForums on January 7, 2026, and priced at $0.02–$0.05 per record.

Where did the leaked data originate?

The breach stemmed from an API misconfiguration in Instagram’s infrastructure, not a direct server compromise. This same API surface was previously linked to a November 2024 leak of 489 million image metadata records, indicating systemic configuration failures. The 17.5 million record dump was the first to include full personally identifiable information (PII).

Who is affected?

About 78% of affected accounts are U.S.-based, with secondary clusters in Australia, the UK, and major U.S. metropolitan areas. The data has been repackaged and resold on dark-web marketplaces, often bundled with credential-stuffing toolkits.

What threats are emerging from this leak?

• Phishing: Mass email campaigns using forged Instagram password-reset links have a 7% click-through rate.
• Credential stuffing: Automated login attempts target Instagram and linked services like Facebook and WhatsApp.
• Identity theft: Physical addresses enable targeted social engineering and synthetic ID fraud.
• Data resale: Prices have dropped below $0.01 per record, expanding attacker access.

What actions should users take?

• Enable two-factor authentication using an authenticator app or hardware token.
• Change passwords for Instagram and any accounts sharing the same email.
• Monitor login activity for unrecognized sessions.
• Check credit reports and financial statements for address-related fraud.

What should Meta do?

• Mandate two-factor authentication for all Instagram accounts.
• Retire vulnerable API endpoints and implement zero-trust access controls.
• Publish a full audit of API governance and data-handling practices.

What is the long-term risk?

Without systemic API reforms, additional leaks exceeding 10 million records are likely within six months. Regulatory scrutiny under GDPR and CCPA is expected to increase as PII exposure persists and exploitation accelerates.

Grok AI Blocked in Malaysia and Indonesia Over Illegal Deepfakes, Regulatory Action Under Existing Laws

Malaysia’s Communications and Multimedia Commission (MCMC) and Indonesia’s Ministry of Communication and Digital Affairs imposed temporary restrictions on Grok AI in January 2026 after its image-generation feature produced non-consensual deepfakes, including child sexual abuse material and fabricated nudity of real individuals. The actions were taken under existing obscenity statutes: Malaysia’s Communications and Multimedia Act §233 and Indonesia’s Electronic Information and Transactions (ITE) Act.

What triggered the regulatory response?

Over 3,500 illegal images were detected and removed between late 2025 and January 2026. User prompts frequently requested the "undressing" of real people, including minors. Despite X Corp.’s January 8, 2026, implementation of a paywall for image generation, misuse continued, demonstrating that access control alone fails to mitigate technical abuse.

What actions did authorities take?

What is required for restoration of service?

X/xAI must submit a verified compliance roadmap to Malaysian and Indonesian authorities, including: model-level prompt filtering, mandatory watermarking of AI-generated images, real-time human review protocols, and audit logs. The restrictions are not permanent and will be lifted upon technical verification.

What broader implications does this have?

Authorities did not await new AI-specific laws but applied existing obscenity and human dignity provisions, setting a regional precedent. The ineffectiveness of paywalls signals a shift toward technical mitigation over access control. Cross-border coordination between Malaysia, Indonesia, and other jurisdictions (UK, EU, US, Australia) suggests a converging global regulatory response. Long-term, both countries are expected to amend their legal frameworks to explicitly address generative AI harms.

What is the impact?

The restrictions reduced daily output of non-consensual deepfakes by over 90% in both markets. Approximately 600 accounts were terminated. Industry analysts now prioritize model-level restrictions over user-level gating as the primary defense against AI-generated abuse.

Dark Web Auction of WEX SOAP API Keys Enables Unauthorized Merchant Account Access

On January 11, 2026, valid SOAP API credentials for WEX Corporation’s corporate payment platform were auctioned on a Tor-based marketplace. The credentials, offered at a starting price of $500 in cryptocurrency, grant merchant-account-level privileges including account creation, balance queries, and transaction initiation. The seller, identified as "bigbandz," provided a proof-of-concept XML packet demonstrating successful API calls. The auction closed 24 hours after the first bid, consistent with dark-web practices designed to limit competition and accelerate transaction completion.

How do these credentials enable financial abuse?

The API keys allow unauthorized manipulation of merchant accounts. Attackers can initiate fraudulent transactions, create fake merchant profiles, and potentially access transaction logs that include cardholder data if downstream systems are compromised. While the credentials lack full administrative privileges, they are sufficient to execute payment lifecycle actions without requiring additional system exploits. This reduces the technical barrier to monetization compared to other forms of data theft.

Why is SOAP still a vulnerability?

Despite industry-wide migration to REST and GraphQL, WEX continues to expose legacy SOAP endpoints for backward compatibility. These interfaces remain attractive to attackers due to outdated defensive tooling, publicly documented schemas, and limited monitoring. The $500 price point reflects a commoditization trend in the dark web, where payment API keys are traded at lower values than stolen card data, signaling increased supply and reduced perceived exclusivity.

What mitigation steps are effective?

• Immediate action: Rotate and invalidate all existing SOAP API keys using the WEX admin console, replacing them with new keys restricted by IP whitelisting.
• Authentication: Enforce multi-factor authentication for API access via time-based OTP or hardware tokens integrated with Azure AD or similar identity providers.
• Network control: Restrict SOAP endpoint access to authorized corporate VPN subnets using dedicated firewalls.
• Monitoring: Deploy SIEM rules to detect anomalies such as sudden spikes in CreateMerchant requests, transactions from unfamiliar geographies, or API activity outside business hours.
• Long-term strategy: Develop a migration plan to replace SOAP with REST/JSON endpoints, setting a sunset date with mandatory client notifications.

What broader trends does this reflect?

Similar auctions of Stripe and PayPal API keys at comparable prices indicate a growing sub-market for payment system credentials. The use of Tor and cryptocurrency aligns with broader dark-web operational norms, hindering law enforcement tracing. Industry initiatives like the Universal Commerce Protocol may further incentivize legacy API retention, inadvertently expanding the attack surface.

What is the likelihood of recurrence?

High. The model used in this auction is replicable and likely to be applied to other enterprises still operating legacy SOAP payment interfaces, including Visa Direct and Worldpay. Price compression and hybrid abuse chains combining API keys with ransomware or laundering tools are anticipated within the next 12 months.

Compliance with PCI-DSS, NIST SP 800-53 AC-2/AC-3, and ISO 27001 mandates these controls. The incident is corroborated by three independent dark-web threat feeds.