Instacart Denies Data Breach, Blames Customers, as More Than 250,000 Instacart Customer’s PII is for Sale on the Dark Web

Instacart Denies Data Breach as More Than 250,000 Instacart Customer's PII is for Sale on the Dark Web

 

Instacart has taken the unusual step of not only denying that it has suffered a data breach, but actually blaming their customers for the fact that customer data records, including credit card information including the last four digits of your credit card number, names, and home addresses (or wherever they get their Instacart orders delivered), along with order information, is being offered for sale in at least two different dark web stores. (Yes, the dark web has stores, it is really not all that different from the Internet that you know and use every day, including right now as you are reading this, other than that much of what goes on in that other, parallel web universe is illegal. The dark web is essentially the Internet equivalent of the back alleys known only to criminals as the places to go to carry out your illegal trade activity.)

Breach or not, it’s apparent that Instacart wasn’t even aware of the issue until it was brought to their attention that people were buying and selling customer records of more than 250,000 Instacart customers.

But upon being alerted to the issue, Instacart immediately jumped right on it, and blamed their customers.


So just how is Instacart blaming their customers for the fact that their customer’s data has obviously been breached? In an announcement on the Instacart site, Instacart explains that they “wanted to share an update for Instacart customers related to reports about a recent third-party security issue,” and that they have “assembled a cross-functional team to promptly investigate this issue and provide an update to our customers. Our teams have been working around the clock to quickly determine the validity of reports related to site security and so far our investigation has shown that the Instacart platform was not compromised or breached.”

They go on to say that “Based on our team’s assessment, we believe that this is what is commonly referred to as credential stuffing — an activity that occurs across the web when a person uses the same login credentials across various websites and apps. If a user’s credentials are compromised on another website or app and their login information is shared across platforms, it makes it easier for third-party bad actors to access and utilize accounts connected to those compromised login credentials.”

So basically Instacart is saying that more than 250,000 (Buzzfeed is reporting 278,531) Instacart customers each has been participating in the practice of using one password across multiple sites, and that somehow some other service or services were compromised that also just happened to have more than 250,000 Instacart customers that also use those services, and so that each of the 250,000+ Instacart customers that also used those other services each used the passwords that they use with those other services as their passwords for Instacart as well.

No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free?
Click for amount options
Other Amount:
What info did you find here today?:
Get notified of new Internet Patrol articles for free!

What are the odds!?

Of course, you have to be able to read between the lines to understand what Instacart is actually saying. Here is our translation:

We wanted to share an update for Instacart customers related to reports about a recent third-party security issue and blame others right up front.

 

Internally, we’ve assembled a cross-functional dysfunctional team to promptly investigate this issue figure out how to blame someone else, and provide an update to our customers. Our teams have been working around the clock to quickly determine the validity of reports related to site security best way to scapegoat our customers, and so far our investigation has shown that the Instacart platform was not compromised or breached our regard for our customers is matched only by our regard for our workers.

Based on our team’s assessment, we believe that this is what is commonly referred to as credential stuffing — an activity that occurs across the web when a person uses the same login credentials across various websites and apps. If a user’s 250,000 users’ credentials (let’s see if the public will buy that it happened to 250,000 people all at once) are compromised on another website or app and their login information is shared across platforms, it makes it easier for third-party bad actors to access and utilize accounts connected to those compromised login credentials.”

Let us distract you from the breach with our employee’s perky *ss

instacart data breach

So, do you believe Instacart that they did not have a data breach, and that more than 250,000 of their customers just happen to have had their credential-stuffed data randomly compromised? Either way, of course, if you have an Instacart account it’s time to change your password, and monitor your credit card statements.

No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free?
Click for amount options
Other Amount:
What info did you find here today?:

Summary
Instacart Denies Data Breach, Blames Customers, as More Than 250,000 Instacart Customer's PII is for Sale on the Dark Web
Article Name
Instacart Denies Data Breach, Blames Customers, as More Than 250,000 Instacart Customer's PII is for Sale on the Dark Web
Description
Insacart is denying a data breach of more than 250,000 customer records, and is instead blaming customers for their info being for sale on the dark web.

Leave a Reply

Your email address will not be published. Required fields are marked *