TL;DR: Missing authentication combined with a simple Insecure Direct Object Reference vulnerability allowed to overtake a selection of temporary locked Instagram accounts. An extrapolation of the PoC account range learned that 4% of all existing & active Instagram accounts (approx. 500 million) were in a vulnerable locked state (approx. 20 million). Facebook fixed the vulnerability within a day and granted a $5.000 bounty 10 days later.