Today I learned a friend’s phone was hacked when someone entered a cell phone store and impersonated him enough to talk their way into getting a new SIM card to replace his own. They initiated a password recovery at Instagram which used a two-factor code delivered by SMS, which they got thanks to the new SIM. Once in his account, they changed the password and username so they could take his original username. By the time he was notified, there was no way to undo it (they changed his account password and had his phone number).
All that work just to steal someone’s Instagram account username.
If you have a short, single-word username at Instagram, now is a great time to turn off SMS codes for 2FA logins and switch it to a dedicated app code generator instead. You’ll have to add it to your account successfully before you can turn off SMS, but this small layer of security is hopefully enough to prevent anyone from hitting your account.