Instacart Hack? You need to change your password now


Illustration for the article titled Now you need to change your Instacart password

Photo: OLIVIER DOULIERY / AFP (fake pictures)

Now would be a good time to change your Instacart password.

Grocery delivery service is in hot water after an investigation found that information from hundreds of thousands of its Users are sold on the dark web, including transactions and personally identifiable information. Instacart says its investigation into the incident so far has not uncovered a breach, but instead suggests that the information was accessed as a result of reused passwords.

BuzzFeed News reported On Wednesday, dark web vendors at two different stores were selling information on up to 278,531 Instacart accounts, although the site noted that it was not clear that they were all genuine or whether some might have been duplicated. Although it did not name the places where the data was exchanged, BuzzFeed News reported that the information names included, email addresses, order history, last four digits of credit cards, at a cost of $ 2 per user. The report noted that the information appears to reflect transactions as recent as this week. BuzzFeed was able to confirm that the information matched that of several Instacart buyers it spoke to.

The company’s official line of defense today seems to blame reused or recycled passwords, a poor but common security flaw. That may allow the credentials of someone whose information has been previously exposed to be used to access other sites or information. in a thread On Twitter, the company said its “investigation so far has shown that the Instacart platform was neither compromised nor violated,” adding that “we believe this is the result of credential stuffing, a technique used by third-party bad actors similar to the phishing, and occurs when a person uses similar login credentials on various websites and applications. “

Instacart added that it is resetting user passwords “may have been affected by third-party credential stuffing” and that customers who are “concerned” should “Please change your Instacart password in your account settings to a unique password that you do not use in any other application or website account. “

Upon receiving comments, Instacart told Gizmodo that it began investigating the “possible causes” of the exposed data as soon as it realized the problem. Speaking specifically about credit card information, Instacart said that it does not store complete credit card information, but rather the last four digits. Did not respond to a request for comment on a cited customer by BuzzFeed reporter Jane Lytvynenko, who said they don’t reuse passwords.

Whether or not the data originated from a Instacart system violation, it’s probably not a bad idea to change your password right away if you have an active account with the platform. And if you haven’t already, consider using a password manager.

.