According to BuzzFeed News, personal information of what could be hundreds of thousands of Instacart customers is being sold on the dark web. This data includes names, the last four digits of credit card numbers, and order histories, and appears to have affected customers who used the grocery delivery service as recently as earlier this week. Only, as of 4:22pm ET yesterday, Instacart says “it has not found evidence of a cybersecurity breach”. Hmmm.
The article on BuzzFeed News (Hundreds Of Thousands Of Instacart Customers’ Personal Data Is Being Sold Online, written by Jane Lytvynenko) states that “[a]s of Wednesday, sellers in two dark web stores were offering information from what appeared to be 278,531 accounts, although some of those may be duplicates or not genuine.”
As of April, Instacart had “millions of customers across the US and Canada,” according to a company spokesperson.
The source of the information, which also included email addresses and shopping data, was unknown, but appeared to have been uploaded from at least June until today.
“It’s looking recent and totally legit,” Nick Espinosa, the head of cybersecurity firm Security Fanatics, told BuzzFeed News after reviewing the accounts being sold.
Two women whose personal information was for sale confirmed they were Instacart customers, that their last order date and amount matched what appeared on the dark web, and that the credit card information belonged to them.
“I don’t really know what to say. It’s hard to know what to say, not knowing if it’s a result of [Instacart’s] negligence,” Hannah Chester told BuzzFeed News. “But if they’re aware that this happened and haven’t informed us, that’s problematic.”
After this story was published, Chester contacted Instacart customer support who told her the issue was likely with password reuse across other websites or apps. Chester said she does not reuse passwords for her logins.
The other woman, Mary M., who asked for her full name not to be used, told BuzzFeed News she would cancel her Instacart account and use a different service.
“I think that it’s very unfortunate that you were the one to tell me and not Instacart,” she said. “I feel like if you know about it, why in the world don’t they? Why haven’t they reached out?”
According to BuzzFeed News, the account information was being sold for around $2 per customer. According to one of the websites where the information was being sold, the personal data of people using Instacart accounts had been added throughout June and July, with the most recent upload being July 22.
However, Instacart told USA TODAY yesterday that it initiated an investigation and found no evidence that its hub of user data has been breached.
“We take data protection and privacy very seriously,” Instacart said in a statement. “We have a dedicated security team as well as multiple layers of security measures across common vectors designed to protect the integrity of all user accounts.”
Instacart also denied any data breach to BuzzFeed News. “We are not aware of any data breach at this time. We take data protection and privacy very seriously,” an Instacart spokesperson told BuzzFeed News. “Outside of the Instacart platform, attackers may target individuals using phishing or credential stuffing techniques. In instances where we believe a customer’s account may have been compromised through an external phishing scam outside of the Instacart platform or other action, we proactively communicate to our customers to auto-force them to update their password.”
As I said at the top of the post, “hmmm”. Instacart seems pretty adamant that there hasn’t been a data breach, but BuzzFeed News claims they’ve talked to two people who’ve confirmed they’re actual customers and also confirmed their order and credit card info. Regardless, if you’ve an Instacart customer, you might want to keep a close eye on your credit cards for unusual charges and take action as appropriate.
So, what do you think? Do you think that Instacart was actually hacked? Or is the BuzzFeed News report inaccurate? Please share any comments you might have or if you’d like to know more about a particular topic.
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.