Instacart user data reportedly for sale on dark web at $2 per account

Illicit merchants are selling personal data for thousands of Instacart users on the dark web at bargain-bin prices, a new report says.

Information for as many as 278,531 of the grocery delivery service’s accounts — including names, order histories, email addresses and partial credit card numbers — was on sale in two dark web stores for roughly $2 a pop, BuzzFeed News reported Wednesday.

The trove of accounts appeared to include people who had used Instacart as recently as Tuesday, though some of them could be duplicates or “not genuine,” according to the outlet.

The sellers reportedly began uploading the data in June and appeared to continue adding listings into this week — but it’s uncertain where the data came from or how it was obtained.

Instacart did not immediately respond to The Post’s request for comment Thursday morning. But the San Francisco-based startup told BuzzFeed that it had not suffered a data breach, though hackers may have targeted individual users with “phishing or credential stuffing techniques.”

Phishing is a form of cyberattack in which hackers use bogus emails to get personal information, while credential stuffing uses known pairs of usernames and passwords to break into user accounts.

“In instances where we believe a customer’s account may have been compromised through an external phishing scam outside of the Instacart platform or other action, we proactively communicate to our customers to auto-force them to update their password,” an Instacart spokesperson told BuzzFeed.

The incident also appeared to affect only a subset of Instacart’s users — the company had “millions of customers” in the US and Canada as of April, according to BuzzFeed.

But some customers whose data was listed for sale reportedly said Instacart should have told them if it knew their data had been harvested.

It’s hard to know what to say, not knowing if it’s a result of [Instacart’s] negligence,” one user, Hannah Chester, told BuzzFeed. “But if they’re aware that this happened and haven’t informed us, that’s problematic.”

Instacart’s business has boomed as the coronavirus pandemic and related lockdowns caused demand for grocery delivery to surge. The firm announced last month that it had raised $225 million in new financing, growing its valuation to $13.7 billion.

Filed under