As with most security threats, we want to lead with the fact that while the potential harm of this flaw is pretty big - someone could ultimately steal your account or delete your photos - the fix is pretty easy, and in the meantime there is also an easy way to protect yourself while the Instagram devs fix the hole found in the iOS app. It is possible the same flaw exists for the Android app, but that hasn't been tested yet.
The security flaw was found in Instagram 3.1.2 running on iOS, the flaw was tested and confirmed on two different iPhone 4 handsets running iOS 6. Apparently, the flaw is quite similar to that trouble that happened with the Firesheep extension a couple years ago, wherein login credential cookies could be swiped for Facebook, Google, Twitter, and others. Similarly, the app authentication with Instagram's servers is done using a plain-text cookie. If a black hat hacker intercepts that cookie, they could access your account, delete your data or change your credentials and steal your account entirely.
Of course, as we said, there is an easy way to protect yourself, and that's because the only way for someone to intercept that cookie is if you are using Instagram on an unsecured connection, like an open WiFi access point. So, if you're worried, just avoid using Instagram on an open AP for now. As we also said, the fix for Instagram is quite easy (and one that Facebook knows, since it was the same fix for the Firesheep issue), which is to use an HTTPS (secure) connection rather than standard HTTP when transferring the credential cookie.
The worst part about all of this is that the developer who found the issue, reventlov, contacted Instagram about the flaw back on November 11th, but Instagram has yet to address the issue.