Repeatedly hacked instagram account, how is this possible?

Day one, a call, the client's instagram account was hacked.
On this day, her account was already hacked, but she restored it through technical support, but after ten changes, the same thing happens, changing the password and mail without notification. At the same time, as she claims, the account was tied to a phone number.
Then I connect, they provide me with a link to restore, I restore access, indicate my mail, my password and link it to my phone number.
After 10 minutes, hacking again with changing the password and mail, but they cannot change the number, because of this, hackers do not have access to the page.
I restore access by standard means, but everything repeats again, it can happen again in an hour, or maybe in a day.
In fact, they have already changed the telephone itself, I log in from my phone or from a computer to linux.
Actually the question is, how is such an easy hacking instagram possible?
Or there is such a big security hole that someone is exploiting it. Maybe someone came across.

UPD:

If everything was that simple, it would be good.
1. The computer cannot be infected, I already wrote my computer on Linux, the client comes in general only from the phone, the client's phone has even been reset to factory settings.
2. I restored access, I did not have time to transfer the password to the client, as after 10 minutes hacking, i.e. no matter what device the login is from, hacking is carried out smoothly.
3. I generated a clear case password with uppercase and lowercase letters, numbers and symbols.
4. I have already linked the account to my mail, obviously no one has hacked it, and judging by the hacking method, they do not care what mail is indicated there. No notifications come to the mail, only when they change their mail and password, they try to re-enter, they are asked for a confirmation code that comes to the phone.
Of course, I understand that a hole in Instagram is unlikely, but at the moment I am inclined to this option, because hacking occurs regardless of the complexity of the password and the specified mail, regardless of which device the user comes from.
With all this, those support is silent.

UPD2:

News from the battlefields. Intermediate result:
It turned out that the client gave the account password himself. That is, no one hacked anyone.
The only question that remains is how the attackers change the mail and password, almost immediately after changing their owner.
At the moment, no one has access.
When restoring through the support service, they send a link to the recovery, we set our password, then we try to log in by entering our mail and password, he accepts them, but asks for a confirmation code, which is sent to the attacker's mail. Tech support does not respond to this, only sends a new link.
By some miracle, the phone got rid of the account itself and it was definitely not the attackers who changed it, since when they enter the account they are asked for a confirmation code, which should be sent to my cell number, but in fact does not come.