People Might Be Selling Your Instacart Order Info Online

Instacart — the grocery delivery-on-demand app — could have suffered a data breach which affected hundreds of thousands of customers. According to a recent BuzzFeed report, the names, last four digits of credit card numbers, and order histories are popping up on dark web markets as a result of the supposed Instacart hack.

The report says sellers in more than one dark web store offered personal data from over 275,000 accounts, though some of those may be duplicates. An Instacart spokesperson said the app has “millions of customers” as of April.

More from the BuzzFeed report:

“We are not aware of any data breach at this time. We take data protection and privacy very seriously,” an Instacart spokesperson told BuzzFeed News.

“Outside of the Instacart platform, attackers may target individuals using phishing or credential stuffing techniques. In instances where we believe a customer’s account may have been compromised through an external phishing scam outside of the Instacart platform or other action, we proactively communicate to our customers to auto-force them to update their password.”

“It’s looking recent and totally legit,” Nick Espinosa, the head of cybersecurity firm Security Fanatics, told BuzzFeed News after reviewing the accounts being sold.

Instacart has denied any hack of its data, but the report continues to mount evidence that it did in fact happen. It cites two women whose information matches what appears on the dark web — credit card numbers included.

When Buzzfeed reached out for comment, an Instacart customer support agent told them that the issue likely has to do with password reuse.

This could be a valid point, but the person who contacted the support line claims they do not reuse any passwords.