How I was able to revoke your Instagram 2FA

The gist here is that One-Time-Password brute-force prevention was based on IPs, so using IP rotation could get around that.

The overall attack chain was to attempt to register a new account using an existing accounts phone number. The OTP is sent to validate the new account, it can be bruteforced, and then once validated, any existing user that is using that phone number as a 2FA will have it removed. Allowing the attacker to remove the phone number as a 2FA option.