The personal data of hundreds of thousands of Instacart users are sold on the dark web for about $ 2 per person, according to one reporting from BuzzFeed.
The publication says that information, including “names, last four digits of credit card numbers and order histories” that appear to belong to 278,531 Instacart accounts, is available for purchase. (Although it is impossible to verify that this number does not contain duplicate or incorrect data.) BuzzFeed has confirmed with two Instacart users that the order date, transaction amount and cached credit card numbers correspond to their recent purchases. The data also includes users’ email addresses.
Instacart denies that there has been a data breach in its systems, but says it is investigating the issue and contacting potentially affected users. A company spokesperson said The edge that it contacted customers whose data may have been compromised, not because of a data breach, but because of phishing attacks or filling references.
Credential stuffing is where hackers use credentials posted online due to leaks or breaches and use them to attempt to access different accounts that share the same purposes. It is often successful because people tend to reuse passwords on the internet.
BuzzFeed reports that sales data date from June with the most recent upload of July 22. “It looks recent and completely legitimate,” cyber security expert Nick Espinosa told the publication after reviewing the data.
Instacart says that all hacked accounts will be temporarily suspended and users will be forced to update their passwords.
“We are currently not aware of a data breach. We take data protection and privacy very seriously, “said a company spokesperson BuzzFeed. Outside of the Instacart platform, attackers can target individuals using phishing or login techniques. In cases where we believe a customer’s account may have been hacked by an external phishing scam outside the Instacart platform or some other action, we proactively communicate with our customers to automatically force them to update their password. “