A researcher, Laxman Muthiyah, took home a $30,000 reward from Facebook, the owner of Instagram, after discovering a weakness in the way you reset your password for the popular application. Though it would require a bit of work for an attacker to do, he shows that it is possible with accessible resources and a bit of cash ($150 to be exact).
Currently, when you reset your password for Instagram you are prompted to have a one-time 6-digit password sent to your listed phone number. This process of resetting is called 2FA, or 2 factor authentication. Two factor authentication is a mechanism deployed to provide users with an extra layer or protection in case their account information has been stolen. Having 2FA on your accounts is important because if your account password is stolen, and the attacker tries to reset your password, they are blocked from completing the process because they would need to also have access to your phone. Laxman has discovered that he can bypass this security layer without having access to your phone. This possibility means any attacker can get into anyone's Instagram account.
Using 6-digits as your 2FA means there is 1 million different possibilities you can try to crack the code. Now I don't know about you, but trying 1 million different possibilities within 10 minutes (the time set before the code expires) isn't easy. With modern technology, i.e the use of automated scripts and a cloud service like Google Cloud or AWS, Laxman discovered this type of attack is definitely possible for someone who is motivated. This POC (proof-of-concept) adds fuel to the fire regarding whether or not 2FA involving codes sent to your phone or email accounts are actually useful. If an attacker can bypass this with Instagram, imagine how many other accounts that use this security layer can also be bypassed. Food for thought.
You can read all about how he did it here.