A startling new report may have some families concerned about how they can best protect their Instacart accounts and continue to get their groceries delivered after some customers said theirs were hacked and sold on the dark web.
On July 22, BuzzFeed News reported that personal information from more than 278,000 Instacart customers' accounts — including names, email addresses, the last four digits of credit card numbers, and order histories — are allegedly being sold on the dark web for around $2 a customer "as recently as yesterday."
In a statement to Romper, the company denied that there had been a data breach. "Our investigation so far has shown that the Instacart platform was not compromised or breached," the grocery delivery service told Romper in a statement Thursday. "Based on our assessment we believe that this is a result of credential stuffing — an activity that occurs across the web when a person uses similar login credentials across various websites or apps."
"If a user's credentials are compromised on another website or app and their login information is shared across platforms, it makes it easier for bad actors to access and utilize accounts connected to those compromised log in credentials," Instacart's statement continued.
"We take data protection and privacy very seriously," the company said. "As part of this commitment, we have a dedicated security team as well as multiple layers of security measures across common vectors designed to protect the integrity of all user accounts."
If you're nervous your information could have been compromised, there are a few steps that you can take to give yourself some peace of mind. First, you will want to change the password for your Instacart account, which you can do through your account settings on Instacart's website or app. While you're there, you will also be able to change your email address associated with the account.
If you use your Instacart password for different accounts on different websites, you'll want to change those passwords too for an added security measure. As TechCrunch advises, using a password manager can help you come up with these new passwords and keep track of them.
You can also change or remove your credit card through Instacart's website or app, which is located in the Payment Methods section of your account settings for further security. But you might want to alert your credit card company, just in case so they can help you close your account and open a new one, according to creditcards.com.
According to Wired, websites like haveibeenpwnd.com and f-secure can alert you to old data breaches and let you know if your data has been compromised. Websites like Experian and IDShield can also scan the internet and dark web for your data and will notify you they find anything, but you'll have to pay for this service after a free trial.
In Instacart's statement to Romper, the company said it will notify its users in "instances we believe a customer's account may have been compromised through an external phishing scam or credential stuffing outside of the Instacart platform." The company said, "We proactively communicate to our customers to auto-force them to update their password."