Haha fair enough. If you do know someone at Instagram, please just tell them to search for me in their support inbox. I've included identity verification in my email. They could also just reach out to the email I had in my account before the hack occurred.
Great question! My phone number isn't particularly private, but I'm not sure how exactly they found it. I have a guess, but it's pretty elaborate, so they may have found a simpler route.
"It seems like by having the ability to change one’s [Instagram] password by email or by mobile alone negates the second factor and it becomes either/or from the attackers point of view."
I believe I have seen this version of "2FA" often enough that it might be considered an anti-pattern. 0.5FA?
Worse, it’s the most important accounts that support the weakest 2FA. U2F support is a solid guarantee that the site has nothing of value. Anything important, especially a bank, is guaranteed to be SMS/phone only.
I too am a T-Mobile customer. On Sunday and Monday the 6th and 7th of this month in two separate incidences my SIM number was also changed. I don't and have never had an Instagram account.
In the first instance I received a notice that someone using my phone logged into a Yahoo account I once setup for a test but never really used. During the second instance I received an email with a Google verification number. I guess that time I got the SIM changed back before anything could really happen.
So far there have been no ramifications in either case. No passwords were changed (although I changed a bunch after that) and I've seen no other effects. I've requested that T-Mobile look into the issue but have heard nothing back yet and I have not checked back with them.