Facebook paid researcher Arne Swinnen a $5,000 bounty for a pair of authentication vulnerabilities in Instagram that enabled brute-force attacks against usernames and passwords. Instagram no longer allows simple passwords, and now requires a combination of numbers, letters and punctuation, and recommends that Instagram passwords not be used elsewhere online. The severity of the vulnerabilities was exacerbated by Instagram s weak password policies and its practice of enumerating userIDs incrementally put accounts in jeopardy with minimal effort. Facebook patched this flaw by addressing the rate-limiting feature.
Source: https://threatpost.com/instagram-patches-brute-force-authentication-flaws/118222/