The security researcher Arne Swinnen published his research which states that he had found a way to hijack 1 million Instagram accounts within minutes.
He explains that with a combination of missing authentication and simple insecure direct object reference, he would have been able to hijack locked Instagram accounts.
Missing authentication combined with a simple Insecure Direct Object Reference vulnerability allowed to overtake a selection of temporary locked Instagram accounts.
He shows that he was able to change the URL, which allowed him to make a view of Instagram accounts that are vulnerable to the attack.
He states that the URL reveals the issue;
The URL revealed the issue: this page was actually accessible without being authenticated (“checkpoint_logged_out_main”) and contained my Instagram test account’s unique user id.
Facebook fixed the issue within 24 hours, by enforcing authentication on the pages that allow to update profile information such as email address and/or phone number.