17 Gifts at All-Time Lows Gifts Under $30 'Forest Bubble' on Mars RSV and the Holidays MyHeritage 'AI Time Machine' Postage Stamp Price Increase Household Items on Amazon Melatonin vs. GABA
Want CNET to notify you of price drops and the latest stories?
No, thank you

Instacart user data for sale on the dark web, report says

The data appears to involve more than 270,000 accounts.

A report says info on more than 270,000 Instacart user accounts is for sale on the dark web.
Getty Images

Instacart user data is for sale on shady web forums, according to a Wednesday evening report from BuzzFeed. The data reportedly includes names, the last four digits of credit card numbers, and order histories. Passwords and full financial information weren't listed among the data nicked from breached accounts, which tallied to more than 270,000 (though that number may include duplicates or incorrect information).

Now playing: Watch this: In a world of bad passwords, a security key could be...

Instacart says it doesn't believe there was a data breach affecting its own systems. Fraudsters may have stolen the data by logging in to accounts of users who'd reused passwords that were stolen in data breaches at other companies, a hacking technique called credential stuffing. Another approach is sending fraudulent phishing messages to users, tricking them into entering their account passwords.

The best defense against credential stuffing attacks is to avoid reusing passwords (use a password manager to help you keep track of unique passwords for all your accounts). You can also use two-factor authentication, which adds an extra step to the log in process and keeps hackers from accessing your accounts with just your password.