The personal information of hundreds of thousands of Instacart customers may be at risk, with reports suggesting that data is being sold on the dark web for US$2 per customer’s information.
Sellers on two dark web stores were offering data on some 278,531 Instacart accounts, as of Wednesday. The affected accounts could be from the US and/or Canada, as Instacart confirmed that, as of April, it had millions of customers in both countries.
The data being sold included customers’ names, the last four digits of their credit card numbers, and their order histories with Instacart.
A spokesperson told BuzzFeed News that Instacart does not believe that there has been a breach of data.
“We are not aware of any data breach at this time. We take data protection and privacy very seriously,” the spokesperson said in a statement. “Outside of the Instacart platform, attackers may target individuals using phishing or credential stuffing techniques. In instances where we believe a customer’s account may have been compromised through an external phishing scam outside of the Instacart platform or other action, we proactively communicate to our customers to auto-force them to update their password.”
The source of the leak is unknown, but it appears to have been uploaded sometime between June and July.
“It’s looking recent and totally legit,” Security Fanatics head Nick Espinosa told BuzzFeed News, confirming the legitimacy of the data breach.
BuzzFeed News also reached out to several victims of the leak for comment. One woman said she contacted Instacart customer support to confront them about the issue, and ask why the possible breach had not been relayed to all customers – only to be told by the company representative that the issue was likely due to password reuse across other websites or apps.
That customer said she does not reuse passwords for her logins.