For the last few months, Instacart has been a godsend for customers unwilling to food shop because of Covid-19 concerns but users of the popular shopping app might want to run a credit check.
BuzzFeed News is reporting that the personal information of hundreds of thousands of Instacart customers is currently being sold on the dark web. This data includes full names, the last four digits of the credit card numbers used, and order histories.
“As of Wednesday,” reports BuzzFeed, “sellers in two dark web stores were offering information from what appeared to be 278,531 accounts, although some of those may be duplicates or not genuine.”
The website reached out to Instacart. The company denied any security breaches.
“We are not aware of any data breach at this time. We take data protection and privacy very seriously,” an Instacart spokesperson told BuzzFeed News. “Outside of the Instacart platform, attackers may target individuals using phishing or credential stuffing techniques. In instances where we believe a customer’s account may have been compromised through an external phishing scam outside of the Instacart platform or other action, we proactively communicate to our customers to auto-force them to update their password.”
BuzzFeed was unable to trace back to exactly how the information appeared on the dark web but confirmed that the uploads date back to June.
The head of cybersecurity firm Security Fanatics told BuzzFeed News, “It’s looking recent and totally legit.”
The website reached out to two women whose personal information was for sale. Both women confirmed they were Instacart customers and the date of their last order, credit card information, and order amount matched the info on the dark web.
After being alerted to these issues, one of the women contacted Instacart. The company told her the issue was likely “password reuse across other websites or apps.”
Chester told BuzzFeed she does not reuse passwords for her logins.
If you’re an Instacart user, we strongly suggest changing your password and checking our connected bank accounts immediately.
[via BuzzFeed News]