Grocery delivery and pick-up service Instacart is facing a major security dilemma today. The personal details of its customers are being sold on the dark web, but the company is denying its servers have been breached.
As BuzzFeed News reports, so far, 278,531 Instacart accounts were found to be for sale on the dark web, costing as little as $2 per customer. The information includes the customer name, email address, the last four digits of their credit cards, the order history for the account, and some other shopping-related data. The validity of the account information has been verified by two Instacart customers whose details are up for sale, and this information is not old. The accounts being sold contain information from orders placed through June and up to July 22.
When BuzzFeed approached Instacart with the information, a spokesperson responded by saying, “We are not aware of any data breach at this time. We take data protection and privacy very seriously … Outside of the Instacart platform, attackers may target individuals using phishing or credential stuffing techniques. In instances where we believe a customer’s account may have been compromised through an external phishing scam outside of the Instacart platform or other action, we proactively communicate to our customers to auto-force them to update their password.”
Instacart has millions of customers across the US and Canada, so this counts as a relatively small breach of customer information. It may be that the details have been stolen from customers outside of the Instacart platform as the company hints at, but surely then there would be much more information for sale per account?
Any Instacart customers concerned about the security of their personal details can take the usual steps of changing their account password and enabling two-factor authentication if its available to you. If possible, I’d also remove the credit card associated with the account. Keeping your operating system up-to-date and using a good security suite for protection is also strongly advised. Hopefully, Instacart is investigating why hundreds of thousands of its customers are having their details sold and will release a statement including an explanation.