If those in that pastebin were actual funded Instawallet accounts, the URLs weren't discovered through brute force cracking.
Now if those URLs were sent by Instawallet users via e-mail (which transmits in clear-text) or in SMS/text messaging (which transmits in clear-text on telecom networks), or on corporate networks with packet inspection or on compromised Windows systems, etc., then certainly like any bearer instrument, these URLs are vulnerable to being hijacked by a thief. That's one reason why the FAQ reads
do not recommend to store significant amounts of Bitcoins here.
-
https://instawallet.org/static/faq