Facebook-owned photo-sharing service has recently patched a critical vulnerability that could have allowed hackers to compromise any Instagram account without requiring any interaction from the targeted users. The vulnerability resided in the password recovery mechanism implemented by the mobile version of Instagram. Instagram has rate-limiting enabled to prevent such attacks, but bug hunter Laxman Muthiyah successfully demonstrated the vulnerability to hijack an Instagram account by quickly attempting 200,000 different passcode combinations (20% of all) without getting blocked. Vulnerability has now been patched by Instagram, and the bug bounty hunter was rewarded with $30,000 reward.
Source: https://thehackernews.com/2019/07/hack-instagram-accounts.html