A researcher earned a $30,000 bug bounty from Facebook after discovering a weakness in the Instagram mobile recovery process that would allow account takeover for any user. Laxman Muthiyah took a look at Instagram s mobile recovery flow, which involves a user receiving a six-digit passcode to their mobile number for two-factor account authentication. With six digits that means there are 1 million possible combinations of digits making up the codes. It would cost around 150 dollars to perform the complete attack of one million codes.
Source: https://threatpost.com/researcher-bypasses-instagram-2fa/146466/

