When the entire world shut down as a result of the COVID-19 pandemic, there was a sharp spike in online delivery services. One of the most popular services to find use en masse in the United States is Instacart. Instacart specializes in grocery delivery and pickup services, and especially in the early days of the shutdown, saw a great deal of usage compared to pre-COVID times. This means a vast amount of new accounts for cybercriminals to target. It is this reality that has come to pass. As reported by SCMagazine, two prominent Dark Web stores that are used for purchasing stolen data have Instacart accounts data. There were roughly 278,000 accounts found on the Dark Web criminal marketplaces, according to a report in BuzzFeed. The data included in these accounts include payment information, names, addresses, and much more.
SCMagazine spoke to two cybersecurity experts to get their views on the incident, namely how the data was stolen in the first place. Chloé Messdaghi, vice president of strategy for Point3 Security, was convinced that the Instacart data was stolen via phishing. Messdaghi, as quoted by SCMagazine, agreed, saying, “The most likely bet is that this is a phishing situation… These are historic times and some bad actors are driven to these types of attacks by urgent financial need.” The other expert the publication interviewed disagreed with the phishing angle. Thomas Richards, principal security consultant at Synopsys, blamed credential stuffing, and extrapolated on this idea by saying, “I would recommend that Instacart investigate if there were a high number of failed login attempts on accounts which would indicate an attempt to password spray/stuff while also looking for login attempts from invalid users.”
Instacart, meanwhile, denies it was the victim of a data breach, telling USA Today it saw no evidence its accounts were hacked. Instacart said if any of its customers’ account data is on the Dark Web, it may have gotten there by specific phishing attacks aimed at individual users and not because of a company-wide hack. It posted this tweet on its Twitter account to assure users that its platform wasn’t hacked:
(1/4) To directly address questions about customer account information, we want to share an update for Instacart customers. We take data protection & privacy very seriously and our investigation so far has shown that the Instacart platform was not compromised or breached.
— Instacart (@Instacart) July 23, 2020
However the data got to the Dark Web, whether through individual phishing attacks, credential stuffing, or some other method, it does appear some Instacart account data is in the open. Every Instacart customer should be wary and carefully check their banking and credit card statements. They should also be on the lookout for any other ways that their information can be used without their permission. Identity theft is a very real possibility with incidents like this, and every Instacart customer affected is at risk.
Featured image: Instacart