I signed up for Instagram before Facebook bought them. Back then it was a curiosity of low value and I used my throwaway password. That’s the password I’ve used for over 20 years for things I don’t care about, usually things that don’t even make it into my 1,867 item password database (ok, so only 488 are likely useful). It’s an 8 character alphanumeric — not bad by the standards of 1997 but obviously insecure now. It’s also certainly been added to many dictionaries as various services have been hacked.
After Facebook acquired instagram I think I authenticated through my Facebook account. I forgot about the old password.
Today when I launched Instagram.app I was notified of a login from Rio de Janeiro. When I answered that was not me I was sent to a password change screen. Evidently, like Google, Facebook/Instagram considers a valid password only a modest marker of identity (it might help that I never use the Instagram password and, in particular, I never login with the email address associated with that account, only with a username).
So no harm there — but it means someone is testing the throwaway password together with my gmail address against a range of accounts. I checked my database and there may be a few low value accounts I should clean up. Very few though …