Instacart account data found on Dark Web, but company says it wasn’t hacked

When the entire world shut down as a result of the COVID-19 pandemic, there was a sharp spike in online delivery services. One of the most popular services to find use en masse in the United States is Instacart. Instacart specializes in grocery delivery and pickup services, and especially in the early days of the shutdown, saw a great deal of usage compared to pre-COVID times. This means a vast amount of new accounts for cybercriminals to target. It is this reality that has come to pass. As reported by SCMagazine, two prominent Dark Web stores that are used for purchasing stolen data have Instacart accounts data. There were roughly 278,000 accounts found on the Dark Web criminal marketplaces, according to a report in BuzzFeed. The data included in these accounts include payment information, names, addresses, and much more.

SCMagazine spoke to two cybersecurity experts to get their views on the incident, namely how the data was stolen in the first place. Chloé Messdaghi, vice president of strategy for Point3 Security, was convinced that the Instacart data was stolen via phishing. Messdaghi, as quoted by SCMagazine, agreed, saying, “The most likely bet is that this is a phishing situation... These are historic times and some bad actors are driven to these types of attacks by urgent financial need.” The other expert the publication interviewed disagreed with the phishing angle. Thomas Richards, principal security consultant at Synopsys, blamed credential stuffing, and extrapolated on this idea by saying, “I would recommend that Instacart investigate if there were a high number of failed login attempts on accounts which would indicate an attempt to password spray/stuff while also looking for login attempts from invalid users.”

Instacart, meanwhile, denies it was the victim of a data breach, telling USA Today it saw no evidence its accounts were hacked. Instacart said if any of its customers’ account data is on the Dark Web, it may have gotten there by specific phishing attacks aimed at individual users and not because of a company-wide hack. It posted this tweet on its Twitter account to assure users that its platform wasn’t hacked:

However the data got to the Dark Web, whether through individual phishing attacks, credential stuffing, or some other method, it does appear some Instacart account data is in the open. Every Instacart customer should be wary and carefully check their banking and credit card statements. They should also be on the lookout for any other ways that their information can be used without their permission. Identity theft is a very real possibility with incidents like this, and every Instacart customer affected is at risk.

Featured image: Instacart

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Share
Published by
Derek Kortepeter

Recent Posts

Contactless payments are hot, but are they secure?

The trend to contactless payments has accelerated as retailers and consumers adjust to COVID-19 realities.…

8 hours ago

Season’s fleecings: CISA warns on holiday shopping scams

The U.S. Department of Homeland Security is warning that online holiday shopping scams may be…

11 hours ago

Azure DNS: Using Azure DevOps to protect public DNS zones

This in-depth tutorial shows you how to use features available in Azure DevOps to boost…

14 hours ago

Report: Baidu Android apps had potential to expose data

Two apps from Chinese tech giant Baidu that had been available in the Google Play…

1 day ago

Shining a light on the dark shadow cast by shadow IT

Employees who don’t have the tools to get their jobs done sometimes turn to the…

2 days ago

Microsoft 365 troubleshooting: Diagnostic tools at your fingertips

Many Exchange Server troubleshooting tools don’t work with Microsoft 365. Fortunately, Microsoft has a bunch…

4 days ago