Comment by Anamon

Someone seems to be running a campaign like this with Amazon accounts currently. I don't know the password reset process for Instagram, but maybe a similar thing could be happening that people assumed is behind the Amazon wave:

Amazon sends you a 6-digit code to reset your password. The code is valid for five minutes before a new one is generated. I don't know what the rate limit is, but even if you can just try five times within those five minutes, your chance of guessing it right would be 1 in 200,000. Now assume the attackers are running this on several million accounts in parallel, and you can assume they'd be able to steal a few accounts just with lucky guesses.

It worried me enough that I removed my phone number from my account, through which the password reset requests were initiated. The absolute risk for each user may be low, but overall it seems like a terrible system with regards to security.