IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hundreds of thousands of Instacart customers impacted by data breach

Instacart denies the breach, but credit card data, addresses and transaction information are being sold on the dark web

The personal information of hundreds of thousands of Instacart customers is allegedly for sale on the dark web, according to Buzzfeed News. The data includes names, the last four digits of credit card numbers and order histories. According to the report, the breach impacted customers who used the grocery delivery service as recently as yesterday. Buzzfeed News says the source of the information is currently unknown.

As of Wednesday, two dark web stores featured sellers offering information from 278,531 Instacart accounts, but Buzzfeed said some of those accounts may be duplicates or not invalid. Hackers have been selling the account information for about $2 per customer throughout June and July. The most recent upload was on July 22.

As of this writing, Instacart has denied the breach.

"We are not aware of any data breach at this time. We take data protection and privacy very seriously," an Instacart spokesperson shared with BuzzFeed News. "Outside of the Instacart platform, attackers may target individuals using phishing or credential stuffing techniques. In instances where we believe a customer’s account may have been compromised through an external phishing scam outside of the Instacart platform or other action, we proactively communicate to our customers to auto-force them to update their password."

Buzzfeed News has, however, been in contact with two women whose personal information was listed for sale on the dark web. Both women confirmed they were Instacart customers. They also confirmed the date of their last order and found the amount paid matched what appeared on the dark web. The women also confirmed the credit card information listed belonged to them.

Hannah Chester told BuzzFeed News, “I don’t really know what to say. It’s hard to know what to say, not knowing if it’s a result of [Instacart's] negligence. But if they’re aware that this happened and haven’t informed us, that’s problematic.”

Mary M., the second woman, told BuzzFeed News she plans to cancel her Instacart account and begin using a different grocery delivery service.

“I think that it’s very unfortunate that you were the one to tell me and not Instacart,” she said. “I feel like if you know about it, why in the world don’t they? Why haven’t they reached out?”

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Education and government most at risk from email threats
phishing

Education and government most at risk from email threats

26 Nov 2021
Hackers use Linux backdoor on compromised e-commerce sites with software skimmer
malware

Hackers use Linux backdoor on compromised e-commerce sites with software skimmer

19 Nov 2021
Iranian hackers ramp up attacks against IT services sector
hacking

Iranian hackers ramp up attacks against IT services sector

19 Nov 2021
TikTok phishing campaign tried to scam over 125 influencer accounts
social media

TikTok phishing campaign tried to scam over 125 influencer accounts

18 Nov 2021

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
Linux-based Cheerscrypt ransomware found targeting VMware ESXi servers
ransomware

Linux-based Cheerscrypt ransomware found targeting VMware ESXi servers

26 May 2022