Hundreds of thousands of Instacart customers impacted by data breach

Instacart denies the breach, but credit card data, addresses and transaction information are being sold on the dark web

The personal information of hundreds of thousands of Instacart customers is allegedly for sale on the dark web, according to Buzzfeed News. The data includes names, the last four digits of credit card numbers and order histories. According to the report, the breach impacted customers who used the grocery delivery service as recently as yesterday. Buzzfeed News says the source of the information is currently unknown.

As of Wednesday, two dark web stores featured sellers offering information from 278,531 Instacart accounts, but Buzzfeed said some of those accounts may be duplicates or not invalid. Hackers have been selling the account information for about $2 per customer throughout June and July. The most recent upload was on July 22.

As of this writing, Instacart has denied the breach.

"We are not aware of any data breach at this time. We take data protection and privacy very seriously," an Instacart spokesperson shared with BuzzFeed News. "Outside of the Instacart platform, attackers may target individuals using phishing or credential stuffing techniques. In instances where we believe a customer’s account may have been compromised through an external phishing scam outside of the Instacart platform or other action, we proactively communicate to our customers to auto-force them to update their password."

Buzzfeed News has, however, been in contact with two women whose personal information was listed for sale on the dark web. Both women confirmed they were Instacart customers. They also confirmed the date of their last order and found the amount paid matched what appeared on the dark web. The women also confirmed the credit card information listed belonged to them.

Hannah Chester told BuzzFeed News, “I don’t really know what to say. It’s hard to know what to say, not knowing if it’s a result of [Instacart's] negligence. But if they’re aware that this happened and haven’t informed us, that’s problematic.”

Mary M., the second woman, told BuzzFeed News she plans to cancel her Instacart account and begin using a different grocery delivery service.

“I think that it’s very unfortunate that you were the one to tell me and not Instacart,” she said. “I feel like if you know about it, why in the world don’t they? Why haven’t they reached out?”

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Organizations warned of ransomware risk from smaller operators
ransomware

Organizations warned of ransomware risk from smaller operators

19 Oct 2021
Iranian hacking group continues to target US citizens
hacking

Iranian hacking group continues to target US citizens

18 Oct 2021
MirrorBlast phishing campaign targets financial companies
phishing

MirrorBlast phishing campaign targets financial companies

15 Oct 2021
Kaspersky exposes MysterySnail zero-day exploit in Windows
zero-day exploit

Kaspersky exposes MysterySnail zero-day exploit in Windows

13 Oct 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021