You Need to Change Your Instacart Password Right Now

Illustration for article titled You Need to Change Your Instacart Password Right Now
Photo: OLIVIER DOULIERY/AFP (Getty Images)

Now would be a good time to change your Instacart password.

The grocery-delivery service is in hot water after an investigation found that the information of hundreds of thousands of its users is being sold on the dark web—including transactions and personally identifying information. Instacart says its investigation into the incident so far has not uncovered a breach, instead suggesting that the information was accessed as a result of reused passwords.

Advertisement

BuzzFeed News reported Wednesday that dark web sellers in two different stores were hawking information from as many as 278,531 Instacart accounts, though the site noted it wasn’t clear that all were genuine or whether some may have been duplicates. While it did not name the sites where the data was being traded, BuzzFeed News reported that the information included names, email addresses, order histories, the last four digits of credit cards, at a cost of $2 per user. The report noted the information seems to reflect transactions as recent as this week. BuzzFeed was able to confirm that the information matched those of a number of Instacart shoppers to whom it spoke.

The company’s official line of defense at present appears to be blaming reused or recycled passwords, a poor but common security failure that can allow the credentials of someone whose information was previously exposed to be used to access other sites or information. In a thread on Twitter, the company said its “investigation so far has shown that the Instacart platform was not compromised or breached,” adding that “we believe this is the result of credential stuffing—a technique used by 3rd party bad actors similar to phishing, and occurs when a person uses similar login credentials across various websites and apps.”

Advertisement

Instacart added that it is resetting the passwords of users “may have been affected by third party credential-stuffing” and that customers who are “concerned” should “change their Instacart password in their account settings to a unique password that they do not use on any other apps or website accounts.”

Reached for comment, Instacart told Gizmodo that it began investigating “potential causes” of the exposed data as soon as it became aware of the issue. Speaking specifically to the credit card information, Instacart said that it does not store full credit card information but rather the last four digits. It did not respond to a request for comment about a customer cited by BuzzFeed reporter Jane Lytvynenko who said they do not reuse passwords.

Whether or not the data originated from a breach of Instacart’s system, it’s probably not a bad idea to change your password immediately if you’ve got an active account with the platform. And if you aren’t yet, consider using a password manager.

Share This Story

Get our newsletter

DISCUSSION

I would take what Instacart says with a huge grain of salt. They are a crappy company. When something goes wrong on their end, their support usually places the blame on the user. They can’t even make their apps work like they’re supposed to, so I definitely wouldn’t trust them with security.

An easy thing to do with control of an account would be to have a shopper purchase something for you, like an 8K TV (or maybe something smaller), and entice them with a decent tip. You don’t even have to be in the same city. If you want, say it’s a surprise birthday present for your child or something to discourage the shopper making contact that would actually reach the account holder.

There have been reported instances of hacks before, (though not as large as this) and purchases using stolen credit cards. In the article: “We take data protection and privacy very seriously,” an Instacart spokesperson told BuzzFeed News”. When a call is placed between a customer and a shopper, a relay system is used. One good reason for this is privacy. There have been several instances of Instacart giving customers the actual phone numbers of their shoppers.