Instacart Denies Data Breach, Blames Customers, as More Than 250,000 Instacart Customer’s PII is for Sale on the Dark Web

Instacart Denies Data Breach as More Than 250,000 Instacart Customer's PII is for Sale on the Dark Web
Share the knowledge

Instacart has taken the unusual step of not only denying that it has suffered a data breach, but actually blaming their customers for the fact that customer data records, including credit card information including the last four digits of your credit card number, names, and home addresses (or wherever they get their Instacart orders delivered), along with order information, is being offered for sale in at least two different dark web stores. (Yes, the dark web has stores, it is really not all that different from the Internet that you know and use every day, including right now as you are reading this, other than that much of what goes on in that other, parallel web universe is illegal. The dark web is essentially the Internet equivalent of the back alleys known only to criminals as the places to go to carry out your illegal trade activity.)

Breach or not, it’s apparent that Instacart wasn’t even aware of the issue until it was brought to their attention that people were buying and selling customer records of more than 250,000 Instacart customers.

But upon being alerted to the issue, Instacart immediately jumped right on it, and blamed their customers.

So just how is Instacart blaming their customers for the fact that their customer’s data has obviously been breached? In an announcement on the Instacart site, Instacart explains that they “wanted to share an update for Instacart customers related to reports about a recent third-party security issue,” and that they have “assembled a cross-functional team to promptly investigate this issue and provide an update to our customers. Our teams have been working around the clock to quickly determine the validity of reports related to site security and so far our investigation has shown that the Instacart platform was not compromised or breached.”

Get New Internet Patrol Articles by Email!


 

They go on to say that “Based on our team’s assessment, we believe that this is what is commonly referred to as credential stuffing — an activity that occurs across the web when a person uses the same login credentials across various websites and apps. If a user’s credentials are compromised on another website or app and their login information is shared across platforms, it makes it easier for third-party bad actors to access and utilize accounts connected to those compromised login credentials.”

So basically Instacart is saying that more than 250,000 (Buzzfeed is reporting 278,531) Instacart customers each has been participating in the practice of using one password across multiple sites, and that somehow some other service or services were compromised that also just happened to have more than 250,000 Instacart customers that also use those services, and so that each of the 250,000+ Instacart customers that also used those other services each used the passwords that they use with those other services as their passwords for Instacart as well.

What are the odds!?

Of course, you have to be able to read between the lines to understand what Instacart is actually saying. Here is our translation:

The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.

CashApp us Square Cash app link

Venmo us Venmo link

Paypal us Paypal link

We wanted to share an update for Instacart customers related to reports about a recent third-party security issue and blame others right up front.

Internally, we’ve assembled a cross-functional dysfunctional team to promptly investigate this issue figure out how to blame someone else, and provide an update to our customers. Our teams have been working around the clock to quickly determine the validity of reports related to site security best way to scapegoat our customers, and so far our investigation has shown that the Instacart platform was not compromised or breached our regard for our customers is matched only by our regard for our workers.

Based on our team’s assessment, we believe that this is what is commonly referred to as credential stuffing — an activity that occurs across the web when a person uses the same login credentials across various websites and apps. If a user’s 250,000 users’ credentials (let’s see if the public will buy that it happened to 250,000 people all at once) are compromised on another website or app and their login information is shared across platforms, it makes it easier for third-party bad actors to access and utilize accounts connected to those compromised login credentials.”

Let us distract you from the breach with our employee’s perky *ss

instacart data breach

So, do you believe Instacart that they did not have a data breach, and that more than 250,000 of their customers just happen to have had their credential-stuffed data randomly compromised? Either way, of course, if you have an Instacart account it’s time to change your password, and monitor your credit card statements.


Share the knowledge

Leave a Reply

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.