Instacart said it was not compromised by a cybersecurity breach after hundreds of thousands of customers’ personal data was reportedly being sold for as little as $2 per account on the dark web.
The California delivery grocer confirmed on Thursday that it found no evidence that hackers had obtained the last four digits of credit card numbers, names and order histories of customers through its system.
The information was available for sale for just $2 per account on two stores on the dark web as recently as yesterday.
Buzzfeed News, who reported the breach on Wednesday, chose not to disclose the site that was advertising the data of 278,531 accounts. Buzzfeed admitted some may have been faulty.
On Twitter, Instacart released a statement that said the investigation they launched apparently turned up nothing on their end.
‘To directly address questions about customer account information, we want to share an update for Instacart customers. We take data protection & privacy very seriously and our investigation so far has shown that the Instacart platform was not compromised or breached,’ the company wrote.
Instead, Instacart said hackers may have targeted customers using phishing attack methods, like stuffing credentials.
‘Based on our team’s assessment, we believe this is the result of credential stuffing – a technique used by 3rd party bad actors similar to phishing, and occurs when a person uses similar login credentials across various websites and apps.,’ they wrote.
Instacart added that it is contacting individual customers to change their login credentials.
‘We are reaching out to individual customers to auto-force a password update to those customers that may have been affected by third party credential-stuffing,’ wrote Instacart.
‘If customers are concerned and want to take their own action out of an abundance of caution, we recommend that customers change their Instacart password in their account settings to a unique password that they do not use on any other apps or website accounts’
The company further denied their system suffered a cybersecurity breach in a statement to USA Today.
‘We have a dedicated security team as well as multiple layers of security measures across common vectors designed to protect the integrity of all user accounts,’ wrote Instacart.
The most recent upload of an Instacart customer data to one of the websites was 22 July, and there were continuous updates throughout June and July.
In the feedback for one of the sales, seen by DailyMail.com, one customer said: ‘Thanks man looking forward to the free stuff :).’
Another said: ‘Great overall experience highly recommended.’
Other comments said the vendor had not fulfilled the order and that they didn’t receive the information.
An Instacart spokesman initially told BuzzFeed News on Wednesday they were ‘unaware’ of a breach on their data.
‘We are not aware of any data breach at this time. We take data protection and privacy very seriously,’ they said.
‘In instances where we believe a customer’s account may have been compromised through an external phishing scam outside of the Instacart platform or other action, we proactively communicate to our customers to auto-force them to update their password,’ they added.
The sites used were on the dark web, but BuzzFeed has chosen not to name them.
Cybersecurity expert Security Fanatics confirmed the advertisement looked legitimate and believed it had been posted recently.
Two women whose information was part of the illegal online package were Hannah Chester and another who preferred only to be known as Mary M.
‘I don’t really know what to say. It’s hard to know what to say, not knowing if it’s a result of [Instacart’s] negligence,’ Hannah Chester told BuzzFeed News. ‘But if they’re aware that this happened and haven’t informed us, that’s problematic.’
Mary reiterated her disappointment that Instacart had failed to make its customers aware of the attack and that she had to find out through journalists.
Instacart, founded in 2012 with a reach of nearly 6,000 cities, Instacart’s popularity and revenue have surged in the months since the coronavirus pandemic hit the United States in January.
Lockdown orders became a major factor in an uptick in online grocer stores, as civilians avoided public places, grocery stores struggled implement public health guidelines and staffers became sick.
In June, Instacart revealed that it raised $225million in an investment round due to the boost in sales.
Apporva Mehta, one of the Instacart founders and current CEO, became a billionaire that same month as a result.
Forbes reports that Instacart’s valuation went from $7.9billion to $13.7billion, and estimated the Mehta had a net worth of $1.2billion.
Instacart hired 300,000 more shoppers in March and had plans of adding an additional $250,000 in April.
‘We have ambitious plans for the future and this new investment enables us to deepen our support for our shoppers and partners, further fund strategic initiatives such as our advertising and enterprise businesses, and continue to deliver exceptional experiences for customers,’ Mehta said in a press release.
‘This pandemic has fundamentally reshaped the way people think about grocery and ecommerce, and we’re proud to have Instacart continue to play an important role in people’s lives now and long after this crisis subsides.’