Instacart, the U.S. and Canadian online grocery delivery service, blamed reused passwords for the recent account hacks that led to the theft of its customers’ personal data that landed on the dark web.
In a post on its website, Instacart said its investigation concluded the San Francisco-based company was not compromised. Instead, Instacart said hackers used credential stuffing, a practice in which usernames and passwords stolen from other sites are used to hack into other accounts.
“It appears that third-party bad actors were able to use usernames and passwords that were compromised in previous data breaches of other websites and apps to login to some Instacart accounts,” Instacart wrote. “In some instances, this would have given the third party bad-actors access to basic customer account information such as first name, address, last order, total order number, and in some cases, the last four digits of a customer’s credit card. This information was not uniformly pulled for every impacted customer, and no credit card data was compromised as Instacart does not store full credit card information.”
Instacart advised customers to select unique, strong passwords for their accounts that they do not use on any other apps or websites as an extra precaution.
PYMTS reported hundreds of thousands of Instacart customers had their personal data sold online, including the last four digits of their credit cards.
Sellers were offering data from what could have been 278,531 accounts, although some may have been duplicates or fake.
Instacart denied it happened.
“We are not aware of any data breach at this time,” an Instacart spokesperson said. “We take data protection and privacy very seriously. Outside of the Instacart platform, attackers may target individuals using phishing or credential stuffing techniques. In instances where we believe a customer’s account may have been compromised through an external phishing scam outside of the Instacart platform or other action, we proactively communicate to our customers to auto-force them to update their password.”
In May, Instacart added a shopper safety feature to its app, which the company said would help customers stay safe during the pandemic. The feature includes identity verification tools and an updated contactless delivery option. There was also a “Get Emergency Assistance” button added, which was able to help customers quickly access medical assistance if needed.