Instacart user data is for sale on shady web forums, according to a Wednesday evening report from BuzzFeed. The data reportedly includes names, the last four digits of credit card numbers, and order histories. Passwords and full financial information weren't listed among the data nicked from breached accounts, which tallied to more than 270,000 (though that number may include duplicates or incorrect information).
Instacart says it doesn't believe there was a data breach affecting its own systems. Fraudsters may have stolen the data by logging in to accounts of users who'd reused passwords that were stolen in data breaches at other companies, a hacking technique called credential stuffing. Another approach is sending fraudulent phishing messages to users, tricking them into entering their account passwords.
The best defense against credential stuffing attacks is to avoid reusing passwords (to help you keep track of unique passwords for all your accounts). You can also , which adds an extra step to the log in process and keeps hackers from accessing your accounts with just your password.