278,531 Instacart users’ data for sale on dark web; just $2 USD each account

Cybersecurity specialists report a supposed data breach at Instacart, an American firm for food delivery services. Apparently, the information of hundreds of thousands of users is on sale on dark web, BuzzFeed reports. Among the compromised data are names, the last four digits of payment cards, order history, among others. In addition, the records appear to be recent, even from this week.

For a couple of days, two users have posted on dark web forums advertisements about selling at least 278,531 accounts, although researchers believe some accounts might be found more than once. Despite claims from the alleged hackers, the company denies having suffered a data breach.

Information is reportedly sold for about two dollars per account; these ads were first released last June, while the information was last updated on July 22. 

In a statement, Instacart noted, “We’re not aware of any data breach incidents. Protecting our customers’ information is a very serious matter for us.” In addition, the company mentions that users can also be attacked outside their platform using phishing campaigns or credential filling.

Nick Espinosa, director of cybersecurity firm Security Fanatics, said, “We’ve reviewed some of the accounts listed and everything seems to indicate that the incident is recent and completely legitimate.” In addition, two users confirmed that their personal information was compromised, mentioning that the dates and quantities of their most recent orders matched the information that was exposed on dark web.

“I don’t know what to say, I’ve been told it’s hard to know if this happened because of company negligence or other factors,” said Hanna Chester, one of the users affected. Chester claims that he contacted the company’s customer service area, where he was informed that, although the incident was not confirmed, it was likely to be announced later.  

The other user affected, who preferred not to disclose her name, says she decided to cancel her Instacart account after the incident, as she has stopped relying on this service: “This is a very unfortunate situation, I feel that the company has lacked sensitivity to notify users of the incident.”