Instacart says customer data hasn’t been breached

Instacart yesterday denied that its online grocery platform had been breached by hackers after a media report said personal data from thousands of its customers was being sold on the Internet.

Information such as names, the last four digits of credit card numbers, order histories, email addresses and shopping data from “what could be hundreds of thousands of Instacart customers” was put up for sale on the “dark web,” BuzzFeed News reported this week. Sellers in two dark web stores were peddling data from “what appeared to be” 278,531 accounts, some of which could be duplicates or fakes, BuzzFeed said.

The source of the compromised data isn’t known, but apparently the information had been uploaded from “at least June,” BuzzFeed reported, adding that two Instacart users whose data was for sale confirmed that it matched recent purchases.

San Francisco-based Instacart said a company investigation of possible unauthorized use of user account credentials concluded that its platform hadn’t been broken into by hackers. The situation likely stemmed from “credential stuffing,” in which already compromised usernames, passwords and other login data are exploited to illicitly gain access to online accounts, according to Instacart. Consumers who use the same account login information across websites or apps are vulnerable to the practice.

Related:Instacart files intellectual property lawsuit against Cornershop

More than 85% of U.S. households have access to Instacart's delivery and/or pickup services. (Image courtesy of Instacart)

“Our investigation so far has shown that the Instacart platform was not compromised or breached. Based on our team’s assessment, we believe this is the result of credential stuffing, an activity that occurs across the web when a person uses similar login credentials across various websites and apps,” Instacart said in an email statement on Thursday. “If a user’s credentials are compromised on another website or app and their login information is shared across platforms, it makes it easier for bad actors to access and utilize accounts connected to those compromised login credentials.”

Instacart said it’s reaching out to any customers whose information may have been compromised outside of its platform via credential stuffing. Those accounts will be suspended temporarily and have their current passwords disabled until customers update them, the company reported. Customers are required to create strong passwords.

“We take data protection and privacy very seriously. As a part of this commitment, we have a dedicated security team as well as multiple layers of security measures across common vectors designed to protect the integrity of all user accounts,” Instacart stated. “In instances where we believe a customer’s account may have been compromised through an external phishing scam or credential stuffing outside of the Instacart platform, we proactively communicate to our customers to auto-force them to update their password.”

Related:Instacart launches in-app safety hub for personal shoppers

The nation’s largest third-party online grocery delivery provider, Instacart partners with more than 400 national, regional and local retailers across more than 30,000 stores in the United States and Canada. More than 85% of U.S. households and over 70% of Canadian households have access to its delivery and/or pickup services.

According to Robert Capps, vice president of marketplace innovation at NuData Security, MasterCard’s cybersecurity arm, credential stuffing primarily takes advantage of already burgled login information and lax password protection by consumers.

“I have been responsible for organizations that had similar attacks,” Capps said in an interview. “In those cases, they aren’t compromises of the systems themselves. They aren’t breaking into the firewall. They aren’t looking for vulnerabilities in the site. They are literally using stolen credential information that’s available on the Internet, and they’re using different techniques to validate those credentials across the Internet, including all major platforms, whether they’re banking, retail, online services or what have you. They’re looking for overlap between consumers using their password from one site that has been compromised and where it’s found in other places.”

More stringent password requirements in recent years have created more “friction” for consumers as online interactions — including shopping — have increased, Capps explained.

“In general, consumers tend to try to find the easiest path toward completion of whatever function they’re looking to perform online, and passwords tend to be high-friction events for them, where they have to remember new passwords. And every site has asked for complexity these days. They want special characters, they want uppercase/lowercase, they want numbers. And they want a minimum of nine, 10 or 12 characters. That really adds to the complexity for the consumer.”

The Open Web Application Security Project (OWASP), a nonprofit foundation that works to improve the software security, lists on its website that defenses for credential stuffing include multi-factor authentication; secondary passwords, PINs and security questions; CAPTCHA tests to determine if a user is human; IP blacklisting; device fingerprinting; and requiring unpredictable usernames. A multi-pronged security scheme provides more protection, OWASP noted.

“There’s no silver bullet in security,” NuData’s Capps said. “Online security is really layering of different techniques and technologies that provide reinforcement.”