Now would be a good time to change your Instacart password.
The grocery-delivery service is in hot water after an investigation found that the information of hundreds of thousands of its users is being sold on the dark web—including transactions and personally identifying information. Instacart says its investigation into the incident so far has not uncovered a breach, instead suggesting that the information was accessed as a result of reused passwords.
BuzzFeed News reported Wednesday that dark web sellers in two different stores were hawking information from as many as 278,531 Instacart accounts, though the site noted it wasn’t clear that all were genuine or whether some may have been duplicates. While it did not name the sites where the data was being traded, BuzzFeed News reported that the information included names, email addresses, order histories, the last four digits of credit cards, at a cost of $2 per user. The report noted the information seems to reflect transactions as recent as this week. BuzzFeed was able to confirm that the information matched those of a number of Instacart shoppers to whom it spoke.
The company’s official line of defense at present appears to be blaming reused or recycled passwords, a poor but common security failure that can allow the credentials of someone whose information was previously exposed to be used to access other sites or information. In a thread on Twitter, the company said its “investigation so far has shown that the Instacart platform was not compromised or breached,” adding that “we believe this is the result of credential stuffing—a technique used by 3rd party bad actors similar to phishing, and occurs when a person uses similar login credentials across various websites and apps.”
Instacart added that it is resetting the passwords of users “may have been affected by third party credential-stuffing” and that customers who are “concerned” should “change their Instacart password in their account settings to a unique password that they do not use on any other apps or website accounts.”
Reached for comment, Instacart told Gizmodo that it began investigating “potential causes” of the exposed data as soon as it became aware of the issue. Speaking specifically to the credit card information, Instacart said that it does not store full credit card information but rather the last four digits. It did not respond to a request for comment about a customer cited by BuzzFeed reporter Jane Lytvynenko who said they do not reuse passwords.
Whether or not the data originated from a breach of Instacart’s system, it’s probably not a bad idea to change your password immediately if you’ve got an active account with the platform. And if you aren’t yet, consider using a password manager.