Hundreds of thousands of Instacart customers are having their personal data sold on the dark web, including the last four digits of their credit cards, and the data could include people who used the popular delivery app as recently as this week, according to a BuzzFeed News report.
There were sellers offering data from what could have been 278,531 accounts, although some may have been duplicates or fake, the report noted. Instacart said that had never happened.
“We are not aware of any data breach at this time,” an Instacart spokesperson told BuzzFeed News. “We take data protection and privacy very seriously. Outside of the Instacart platform, attackers may target individuals using phishing or credential stuffing techniques. In instances where we believe a customer’s account may have been compromised through an external phishing scam outside of the Instacart platform or other action, we proactively communicate to our customers to auto-force them to update their password.”
But on the contrary, Nick Espinosa, head of cybersecurity firm Security Fanatics, said the data looked “recent and totally legit,” Buzzfeed News reported. And two women confirmed that they were Instacart customers, with their last Instacart purchases matching the dates the data was on the dark web, and that some of the data being sold was their own.
One woman, Hannah Chester, said if Instacart is aware of what had happened and isn’t saying so, “that’s problematic,” BuzzFeed News reported.
According to BuzzFeed News, the account information was on sale for about $2 per customer. Personal data has reportedly been added very recently through June and July, with the most recent entry being July 22.
Instacart added a shopper safety feature to its app in May, which the company said would help customers stay safe during the pandemic. The feature included identity verification tools and an updated contactless delivery option. There was also a “Get Emergency Assistance” button added, which was able to help customers quickly access medical assistance if needed.