Instacart user data for sale on the dark web, report says

The data appears to involve more than 270,000 accounts.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala

A report says info on more than 270,000 Instacart user accounts is for sale on the dark web.

Getty Images

Instacart user data is for sale on shady web forums, according to a Wednesday evening report from BuzzFeed. The data reportedly includes names, the last four digits of credit card numbers, and order histories. Passwords and full financial information weren't listed among the data nicked from breached accounts, which tallied to more than 270,000 (though that number may include duplicates or incorrect information).

Watch this: In a world of bad passwords, a security key could be your new best friend

Instacart says it doesn't believe there was a data breach affecting its own systems. Fraudsters may have stolen the data by logging in to accounts of users who'd reused passwords that were stolen in data breaches at other companies, a hacking technique called credential stuffing. Another approach is sending fraudulent phishing messages to users, tricking them into entering their account passwords.

The best defense against credential stuffing attacks is to avoid reusing passwords (use a password manager to help you keep track of unique passwords for all your accounts). You can also use two-factor authentication, which adds an extra step to the log in process and keeps hackers from accessing your accounts with just your password.