The publication says information including “names, the last four digits of credit card numbers, and order histories” appearing to belong to 278,531 Instacart accounts is available to buy. (Though it’s impossible to verify that this number doesn’t include duplicates or incorrect data.) BuzzFeed did confirm with two Instacart users that the order date, transaction amount, and credit card numbers included in the cache matched their recent purchases. The data also includes users’ emails addresses.
Instacart denies that there’s been a data breach of its systems, but says it’s investigating the issue and has reached out to potentially affected users. A spokesperson for the company told The Verge that it was contacting customers whose data might have been compromised not because of a data breach, but because of phishing attacks or credential stuffing.
Credential stuffing is where hackers take login information posted online as a result of leaks or breaches and use it to try and access different accounts belonging to the same targets. It’s often successful because people tend to re-use passwords across the web.
BuzzFeed reports that the data for sale dated back to June with the most recent upload covering July 22nd. “It’s looking recent and totally legit,” cybersecurity expert Nick Espinosa told the publication after reviewing the data.
Instacart says any breached accounts are temporarily suspended and users forced to update their passwords.
“We are not aware of any data breach at this time. We take data protection and privacy very seriously,” a spokesperson for the company told BuzzFeed. “Outside of the Instacart platform, attackers may target individuals using phishing or credential stuffing techniques. In instances where we believe a customer’s account may have been compromised through an external phishing scam outside of the Instacart platform or other action, we proactively communicate to our customers to auto-force them to update their password.”