Have you ever used Instacart, the popular grocery shopping and delivery service? Your personal information might have been sold on the dark web. Although the company claims that they have not experienced a data breach, it appears that data from nearly 300,000 customers has popped up for sale.
According to a Buzzfeed report, “[t]his data includes names, the last four digits of credit card numbers, and order histories, and appears to have affected customers who used the grocery delivery service.”
The company told Buzzfeed that they were “not aware of any data breach at this time. We take data protection and privacy very seriously.” That’s a standard response from any corporation in this situation. But if Instacart didn’t accidentally reveal the personal information, then how did it get out?
“Outside of the Instacart platform, attackers may target individuals using phishing or credential stuffing techniques. In instances where we believe a customer’s account may have been compromised through an external phishing scam outside of the Instacart platform or other action, we proactively communicate to our customers to auto-force them to update their password.”
In other words, Instacart thinks that these 278,000+ people accidentally revealed their credit card numbers and other sensitive information.
It is possible that enterprising scammers created a scheme to take advantage of the current boom in services like Instacart. Given how many people are using grocery delivery services now, thanks to the pandemic, it would be a golden opportunity for a phishing scam.
If customers revealed their usernames and passwords as part of the scam, then that information could have allowed access to their accounts. If that happened, it would be simple for the scammers to steal all the available information and then sell it on the dark web. That information could then be used by other cybercriminals for identity theft, fraud, and other malicious activity.
Buzzfeed revealed that the cost of the personal data is about $2 per customer. That would theoretically make this scam worth over half a million dollars.
If you think your information might have been captured, you should immediately change your password. While some customers expressed the intent to delete their Instacart accounts entirely, that is not necessary given the facts as we know them now. If this story changes, we will keep you updated.
In the meantime, update your credentials. And never click a link or download an attachment in an email without using extreme caution.