You're lucky you weren't affected by this. Several people I know with three-letter usernames had theirs stolen over the last few days.

When I recovered my account that had been stolen through this exploit (luckily, my username hadn't been changed), I was sent a code to my email address and then asked to use my TOTP code, backup code, or a video selfie. I used my TOTP code and was let in just fine. They certainly have the ability to make such a feature. Keep in mind, however, that several unpatched TFA bypasses exist for Instagram currently. People offer it as a service for around $1,000 on Telegram. Where there's a TOTP code input, there's a way to bypass it.