Instacart customers’ personal information is being sold on the dark web.
A new report found that the personal information of 275,000 Instacart customer accounts is for sale in two dark web stores. The information being sold includes names, email addresses, the last four digits of credit card numbers and shopping data from customers from June and July. The information is for sale for about $2 per person.
Some customers have confirmed the data for sale on the dark web matches their Instacart account information. However, Instacart officials said they are not aware of a data breach. They said data privacy is a top priority for the company.
“Internally, we’ve assembled a cross-functional team to promptly investigate this issue and provide an update to our customers. Our teams have been working around the clock to quickly determine the validity of reports related to site security and so far our investigation has shown that the Instacart platform was not compromised or breached,” Instacart officials said in a statement.
Officials said based on their investigation, the leaked data is the result of credential stuffing. Credential stuffing occurs when a hacker uses software to cross-reference stolen usernames or email addresses and corresponding passwords from past data breaches to gain access to victims’ accounts.
“In this instance, it appears that third-party bad actors were able to use usernames and passwords that were compromised in previous data breaches of other websites and apps to login to some Instacart accounts,” officials said. “In some instances, this would have given the third party bad-actors access to basic customer account information such as first name, address, last order, total order number, and in some cases, the last four digits of a customer’s credit card.”
For Instacart customers who feel their data might be at risk, they can take steps to protect themselves. These steps include changing passwords and turning on two-factor authentication.
Customers who might have had data exposed also should monitor their credit report for possible fraud. Credit report and identity theft protection can include dark web and internet monitoring, suspicious activity alerts and identity theft insurance.