The personal information of thousands of users of the Instacart grocery delivery service is being sold on the Dark Web for around €2 per customer. This data includes the names, last four digits of credit card numbers and order history of users of the service and even customers who have recently used the service, according to a BuzzFeed News report. As of last Wednesday, vendors at two dark web stores were selling information about the users of what appears to be 278,531 accounts. However, some of these accounts may be duplicates or may not be genuine. Instacart has millions of customers across the United States and Canada as of April of this year as more people turn to grocery delivery to avoid going to supermarkets during the pandemic.
It is not a data breach
In a security update posted on its website, Instacart explained that credential stuffing was to blame and that its platform had not been compromised or breached, saying: "Our teams have been working around the clock to rapidly determine the validity of reports related to site security and so far our investigation has shown that the Instacart platform has not been compromised or breached." Based on our team's evaluation, we believe this is what is commonly known as credential stuffing, an activity that occurs across the web when a person uses the same credentials. Sign in to various websites and apps. " Credential stuffing is a tactic often employed by cybercriminals who use usernames and passwords from previous data breaches to attempt to access user accounts on other services. However, it seems plausible that hundreds of thousands of Instacart customers will use the same passwords on multiple sites.To protect its users, Instacart notifies affected customers, invalidates their old passwords, and advises them to reset their password as an added security measure.Via BuzzFeed News