http://exfiltrated.com/research-Instagram-RCE.php

tl;dr sorta:

Instagram has a 'bug bounty' program where Information Security types submit exploitable bugs in their webapps, servers, etc and Instagram pays out an amount of money depending on the severity of the bug. Instagram, who remember is owned by Facebook, threw down the gauntlet and said 'Yeah if someone finds a million dollar bug, we are paying a million dollars!'

And that money went largely unclaimed because Instagram and Facebook have excellent InfoSec teams generally and tend not to fuck up too badly. Until someone put together a string of bad configuration decisions on a forgotten server and managed to root it, then put together a dossier on the hows and whys and whens to claim his cool mil, or perhaps more realistically 20-50k USD which is the going rate for this sort of thing.

Instagram pays $2500 for one element of the compromise then starts clutching pearls when the guys like "Maybe you dont understand; these are your weak as fuck admin passwords, here is where you store your customer data which I now have access to, whats the deal?"

And Instagram basically said that the security research violated some very dodgy and questionable criteria for the bug bounty program regarding avoiding customer data and a few other things and honestly this would be a huge black eye for them out the gate if it stopped there, but the dude shows up for work the next day and ends up having to answer for 'hacking Instagram' to his boss his bosses boss so on because the Chief Security Officer of Facebook Alex Stamos called them and demanded they account for their employees actions.

Pretty gross shit considering if this guy had simply bundled up everything he got off that hack, he could have sold it on Darkweb for 6 figs and probably knocked 50% off Instagram's value in the process.

Oh and almost certainly cost Alex Stamos his job.

Non-zero odds that the usual elements are going to be trying to do just that to prove a point btw.