The grocery-delivery service is in a mess after some digging was done and found that the information of hundreds of thousands of its users is being sold on the dark web. This also includes transactions and personal information that can reveal your identity. Instacart says its investigation into the incident so far has not uncovered a breach, instead suggesting that the information was obtained as a result of unchanged passwords.
It was recently reported that dark web sellers in two different stores were receiving information from as many as 278,531 Instacart accounts, although the site said it wasn’t sure that all were real or whether some may have been fake and duplicate accounts. Now would really be a good time to change your Instacart password. While Instacart refused to name the sites where the information was being traded, it was reported that the information included names, email addresses, your order history, and the last four digits of your credit cards at a cost of $2 per user.
The company began to put the blame on users for reusing or recycling passwords, it is a common security failure that can allow the data of someone whose information was previously leaked to be used to log into other sites or information. Instacart also twitted that its investigation so far has revealed that the Instacart platform was never hacked or compromised, adding that “we believe this is the result of credential stuffing—a technique used by 3rd party bad actors similar to phishing, and occurs when a person uses similar login credentials across various websites and apps.”
Instacart began to advise users to change their passwords in their account settings to something that they do not use elsewhere because they feel it might have been a technique used by third parties to log in credentials across various websites and apps. The company claimed to have begun an investigation as soon as it became aware of the issue.
However, Instacart said that it does not store full credit details but rather the last four-digit numbers. Whether or not the data originated from a breach of Instacart’s system, it’s probably not a bad idea to change your password immediately if you’ve got an active account with the platform.