Sponsored By

Instacart says customer data hasn’t been breached

Investigation cites ‘credential stuffing’ following reports of user account information being sold on ‘dark web’

Russell Redman

July 24, 2020

4 Min Read
Instacart_ordering-tablet.jpg
Instacart noted a company investigation showed that its online grocery platform hadn't been compromised.Instacart

Instacart yesterday denied that its online grocery platform had been breached by hackers after a media report said personal data from thousands of its customers was being sold on the Internet.

Information such as names, the last four digits of credit card numbers, order histories, email addresses and shopping data from “what could be hundreds of thousands of Instacart customers” was put up for sale on the “dark web,” BuzzFeed News reported this week. Sellers in two dark web stores were peddling data from “what appeared to be” 278,531 accounts, some of which could be duplicates or fakes, BuzzFeed said.

The source of the compromised data isn’t known, but apparently the information had been uploaded from “at least June,” BuzzFeed reported, adding that two Instacart users whose data was for sale confirmed that it matched recent purchases.

San Francisco-based Instacart said a company investigation of possible unauthorized use of user account credentials concluded that its platform hadn’t been broken into by hackers. The situation likely stemmed from “credential stuffing,” in which already compromised usernames, passwords and other login data are exploited to illicitly gain access to online accounts, according to Instacart. Consumers who use the same account login information across websites or apps are vulnerable to the practice.

Related:Instacart files intellectual property lawsuit against Cornershop

Instacart customer app-smartphone.pngMore than 85% of U.S. households have access to Instacart's delivery and/or pickup services. (Image courtesy of Instacart)

“Our investigation so far has shown that the Instacart platform was not compromised or breached. Based on our team’s assessment, we believe this is the result of credential stuffing, an activity that occurs across the web when a person uses similar login credentials across various websites and apps,” Instacart said in an email statement on Thursday. “If a user’s credentials are compromised on another website or app and their login information is shared across platforms, it makes it easier for bad actors to access and utilize accounts connected to those compromised login credentials.”

Instacart said it’s reaching out to any customers whose information may have been compromised outside of its platform via credential stuffing. Those accounts will be suspended temporarily and have their current passwords disabled until customers update them, the company reported. Customers are required to create strong passwords.

“We take data protection and privacy very seriously. As a part of this commitment, we have a dedicated security team as well as multiple layers of security measures across common vectors designed to protect the integrity of all user accounts,” Instacart stated. “In instances where we believe a customer’s account may have been compromised through an external phishing scam or credential stuffing outside of the Instacart platform, we proactively communicate to our customers to auto-force them to update their password.”

Related:Instacart launches in-app safety hub for personal shoppers

The nation’s largest third-party online grocery delivery provider, Instacart partners with more than 400 national, regional and local retailers across more than 30,000 stores in the United States and Canada. More than 85% of U.S. households and over 70% of Canadian households have access to its delivery and/or pickup services.

According to Robert Capps, vice president of marketplace innovation at NuData Security, MasterCard’s cybersecurity arm, credential stuffing primarily takes advantage of already burgled login information and lax password protection by consumers.

“I have been responsible for organizations that had similar attacks,” Capps said in an interview. “In those cases, they aren’t compromises of the systems themselves. They aren’t breaking into the firewall. They aren’t looking for vulnerabilities in the site. They are literally using stolen credential information that’s available on the Internet, and they’re using different techniques to validate those credentials across the Internet, including all major platforms, whether they’re banking, retail, online services or what have you. They’re looking for overlap between consumers using their password from one site that has been compromised and where it’s found in other places.”

More stringent password requirements in recent years have created more “friction” for consumers as online interactions — including shopping — have increased, Capps explained.

“In general, consumers tend to try to find the easiest path toward completion of whatever function they’re looking to perform online, and passwords tend to be high-friction events for them, where they have to remember new passwords. And every site has asked for complexity these days. They want special characters, they want uppercase/lowercase, they want numbers. And they want a minimum of nine, 10 or 12 characters. That really adds to the complexity for the consumer.”

The Open Web Application Security Project (OWASP), a nonprofit foundation that works to improve the software security, lists on its website that defenses for credential stuffing include multi-factor authentication; secondary passwords, PINs and security questions; CAPTCHA tests to determine if a user is human; IP blacklisting; device fingerprinting; and requiring unpredictable usernames. A multi-pronged security scheme provides more protection, OWASP noted.

“There’s no silver bullet in security,” NuData’s Capps said. “Online security is really layering of different techniques and technologies that provide reinforcement.”

About the Author

Russell Redman

Senior Editor
Supermarket News

Russell Redman has served as senior editor at Supermarket News since April 2018, his second tour with the publication. In his current role, he handles daily news coverage for the SN website and contributes news and features for the print magazine, as well as participates in special projects, podcasts and webinars and attends industry events. Russ joined SN from Racher Press Inc.’s Chain Drug Review and Mass Market Retailers magazines, where he served as desk/online editor for more than nine years, covering the food/drug/mass retail sector. 

Russell Redman’s more than 30 years of experience in journalism span a range of editorial manager, editor, reporter/writer and digital roles at a variety of publications and websites covering a breadth of industries, including retailing, pharmacy/health care, IT, digital home, financial technology, financial services, real estate/commercial property, pro audio/video and film. He started his career in 1989 as a local news reporter and editor, covering community news and politics in Long Island, N.Y. His background also includes an earlier stint at Supermarket News as center store editor and then financial editor in the mid-1990s. Russ holds a B.A. in journalism (minor in political science) from Hofstra University, where he also earned a certificate in digital/social media marketing in November 2016.

Russell Redman’s experience:

Supermarket News - Informa
Senior Editor 
April 2018 - present

Chain Drug Review/Mass Market Retailers - Racher Press
Desk/Online Editor 
Sept. 2008 - March 2018

CRN magazine - CMP Media
Managing Editor
May 2000 - June 2007

Bank Systems & Technology - Miller Freeman
Executive Editor/Managing Editor
Dec. 1996 - May 2000

Supermarket News - Fairchild Publications
Financial Editor/Associate Editor
April 1995 - Dec. 1996 

Shopping Centers Today Magazine - ICSC 
Desk Editor/Assistant Editor
Dec. 1992 - April 1995

Testa Communications
Assistant Editor/Contributing Editor (Music & Sound Retailer, Post, Producer, Sound & Communications and DJ Times magazines)
Jan. 1991 - Dec. 1992 

American Banker/Bond Buyer
Copy Editor
Oct. 1990 - Jan. 1991 

This Week newspaper - Chanry Communications
Reporter/Editor
May 1989 - July 1990

Stay up-to-date on the latest food retail news and trends
Subscribe to free eNewsletters from Supermarket News

You May Also Like