Thousands of Instacart customer details sold online
Instacart says credential stuffing and not a data breach is likely to blame
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
The personal information of thousands of users of thegrocery delivery serviceInstacart is being sold on the Dark Web for around $2 per customer.
This data includes the names, last four digits of credit card numbers and order histories of the service’s users and even customers who used the service recently, according to a report fromBuzzFeed News.
As of last Wednesday, sellers in twoDark Webstores were selling user information from what appears to be 278,531 accounts. However, some of these accounts could be duplicates or not genuine. Instacart has millions of customers across the US and Canada as of April of this year as more people turn to having their groceries delivered to avoid going into supermarkets during the pandemic.
Not a data breach
In asecurity updatepublished on its website, Instacart explained that credential stuffing was likely to blame and that its platform had not been compromised or breached, saying:
“Our teams have been working around the clock to quickly determine the validity of reports related to site security and so far our investigation has shown that the Instacart platform was not compromised or breached. Based on our team’s assessment, we believe that this is what is commonly referred to as credential stuffing — an activity that occurs across the web when a person uses the same login credentials across various websites and apps.”
Credential stuffingis a tactic often employed by cybercriminals who use usernames and passwords from past data breaches to try and gain access to users' accounts on other services. However, it seems plausible that hundreds of thousands of Instacart customers used the same passwords across multiple sites.
To protect its users, Instacart is notifying affected customers, invalidating their previous passwords and advising them to reset their password as an extra security measure.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
ViaBuzzFeed News
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.
This new phishing strategy utilizes GitHub comments to distribute malware
Should your VPN always be on?
5 must-have Android apps
