More than 275,000 Instacart Customers’ Personal Information for Sale in Dark Web Stores

More than 275,000 Instacart Customers’ Personal Information for Sale in Dark Web Stores

by | Jul 24, 2020

Instacart customers’ personal information is being sold on the dark web.

A new report found that the personal information of 275,000 Instacart customer accounts is for sale in two dark web stores. The information being sold includes names, email addresses, the last four digits of credit card numbers and shopping data from customers from June and July. The information is for sale for about $2 per person.

Some customers have confirmed the data for sale on the dark web matches their Instacart account information. However, Instacart officials said they are not aware of a data breach. They said data privacy is a top priority for the company.

“Internally, we’ve assembled a cross-functional team to promptly investigate this issue and provide an update to our customers. Our teams have been working around the clock to quickly determine the validity of reports related to site security and so far our investigation has shown that the Instacart platform was not compromised or breached,” Instacart officials said in a statement.

Officials said based on their investigation, the leaked data is the result of credential stuffing. Credential stuffing occurs when a hacker uses software to cross-reference stolen usernames or email addresses and corresponding passwords from past data breaches to gain access to victims’ accounts.

“In this instance, it appears that third-party bad actors were able to use usernames and passwords that were compromised in previous data breaches of other websites and apps to login to some Instacart accounts,” officials said. “In some instances, this would have given the third party bad-actors access to basic customer account information such as first name, address, last order, total order number, and in some cases, the last four digits of a customer’s credit card.”

For Instacart customers who feel their data might be at risk, they can take steps to protect themselves. These steps include changing passwords and turning on two-factor authentication.

Customers who might have had data exposed also should monitor their credit report for possible fraud. Credit report and identity theft protection can include dark web and internet monitoring, suspicious activity alerts and identity theft insurance.

Premier Credit Monitoring.

Receive premier credit monitoring and identity theft insurance for you and your family with our MAX plan.**

*Source: Fair Isaac Corporation.

**$1 Million ID Theft Coverage – provides up to $1 million in coverage for: funds stolen by unauthorized electronic funds transfer from an account in your name, legal fees, miscellaneous expenses, and up to $1,500 per week (five weeks maximum) for wages lost while resolving a stolen identity event. Underwritten by AIG.

$25K ID Theft Coverage – provides up to $25,000 in coverage for: funds stolen by unauthorized electronic funds transfer from an account in your name, coverage for elderly and child care, legal fees, miscellaneous expenses, and up to $500 per week (five weeks maximum) for wages lost while resolving a stolen identity event. Family members means up to 3 of the enrollee’s children under the age of twenty-four (24) who permanently live in the same residence as the enrollee at the time of the stolen identity event. Underwritten by AIG.

FICO is a registered trademark of the Fair Isaac Corporation in the United States and other countries.

©2020 IDIQ® provider of MyScoreIQ® services | All Rights Reserved
800-637-5590