Over 200,000 Instacart accounts have allegedly been breached, with the data gleaned being sold now on the dark web.
Instacart accounts that have been active as soon as Wednesday may have data being sold on the dark web. Out of the millions of consumers using Instacart, only 278,531 accounts have been confirmed to be exposed.
Of the accounts found, many may be duplicates or not genuine, so the severity of the data breach is not yet known. Instacart claims that there has not been any breach of user data, meaning this may have been a coordinated phishing attack instead.
Users whose data has been exposed confirmed that the latest shopping data and credit card details are correct. The data appears to only contain the last four digits of the credit card numbers, full names, and order history.
"We are not aware of any data breach at this time. We take data protection and privacy very seriously," an Instacart spokesperson told BuzzFeed News. "Outside of the Instacart platform, attackers may target individuals using phishing or credential stuffing techniques. In instances where we believe a customer's account may have been compromised through an external phishing scam outside of the Instacart platform or other action, we proactively communicate to our customers to auto-force them to update their password."
It appears that the data has been uploaded from June up until the breach was discovered. Accounts are being sold off on two dark web stores for $2 each. Users should update their passwords and ensure they use two-factor authentication to prevent any such attack from affecting them in the future.