The personal information of what could be hundreds of thousands of Instacart customers is being sold on the dark web. This data includes names, the last four digits of credit card numbers, and order histories, and appears to have affected customers who used the grocery delivery service as recently as yesterday.
As of Wednesday, sellers in two dark web stores were offering information from what appeared to be 278,531 accounts, although some of those may be duplicates or not genuine. As of April, Instacart had “millions of customers across the US and Canada,” according to a company spokesperson.
The company denied there had been a breach of its data.
“We are not aware of any data breach at this time. We take data protection and privacy very seriously,” an Instacart spokesperson told BuzzFeed News. “Outside of the Instacart platform, attackers may target individuals using phishing or credential stuffing techniques. In instances where we believe a customer’s account may have been compromised through an external phishing scam outside of the Instacart platform or other action, we proactively communicate to our customers to auto-force them to update their password.”
The source of the information, which also included email addresses and shopping data, was unknown, but appeared to have been uploaded from at least June until today.
“It’s looking recent and totally legit,” Nick Espinosa, the head of cybersecurity firm Security Fanatics, told BuzzFeed News after reviewing the accounts being sold.
Two women whose personal information was for sale confirmed they were Instacart customers, that their last order date and amount matched what appeared on the dark web, and that the credit card information belonged to them.