This is very worrying to me, since I have a three-letter IG account and I already get daily recovery emails triggered by unknown actors. They have this system which after some number of these you'll also get a second link like "you can _limit password resets from devices you haven't used before_" but it's only for like 60 days, then it resets to the normal "anyone who types in your username can request resets" mode.
What I want is simply a mode to "never, ever, under any circumstances, perform 'recovery' of any kind, through any channel, ever, unless the person requesting has my TOTP code or a passkey." And frankly I want that for pretty much every account everywhere. But no, we have to leave the social engineering door wide open. And now, put a gullible robot in that doorway. Great.
You're lucky you weren't affected by this. Several people I know with three-letter usernames had theirs stolen over the last few days.
When I recovered my account that had been stolen through this exploit (luckily, my username hadn't been changed), I was sent a code to my email address and then asked to use my TOTP code, backup code, or a video selfie. I used my TOTP code and was let in just fine. They certainly have the ability to make such a feature. Keep in mind, however, that several unpatched TFA bypasses exist for Instagram currently. People offer it as a service for around $1,000 on Telegram. Where there's a TOTP code input, there's a way to bypass it.
Very interesting. I found it odd that when I happened to open IG yesterday, I was prompted to log in, and my password didn't work. I asked it to send me a link to my email and got in that way, and didn't have time to look into it further.
So I went to check it again just now after reading your comment, and I was immediately as soon as I opened the app, prompted to create a new password, which I did.
very very sketchy things going on here. But I'm glad that they didn't fully allow my account to be stolen :/