About 270,000 Instacart Inc. customer records have been found for sale on the dark web, but the company is denying that it has experienced a data breach.

Discovered by Buzzfeed News and revealed Wednesday, the records, which are being sold for around $2 each, include customer name, email address, order history and the last four digits of the customer’s credit card number. The data was first listed for sale in April on two different marketplaces on the dark web, a shady part of the internet reachable with special software, with the records on offer being regularly updated.

Instacart is denying that its systems have been breached, saying instead that the data was stolen through credential stuffing. The method involves hackers using compromised account details from other hacks to gain access to an account on another site, since people often reuse credentials including passwords across multiple sites.

“In this instance, it appears that third-party bad actors were able to use usernames and passwords that were compromised in previous data breaches of other websites and apps to log in to some Instacart accounts,” Instacart said in a post on Medium.

Instacart said that it was taking a number of steps to support those impacted as well as ensuring the security of its platform. Affected customers are having their passwords reset and are being advised to use unique, strong passwords that they do not use on any other apps or website.

While seemingly not to blame directly, Instacart came in for criticism.

“From the information that has been released thus far, we know that Instacart allows users to use three possible methods of authentication: an Instacart account, Google and Facebook,” Thomas Richards, principal security consultant at electronic design automation company Synopsys Inc., told SiliconANGLE. “While Google and Facebook appear to have strong account password policies and protections, Instacart’s password policy only requires six characters. This is below the industry standard and is considered a weak password policy.”

Brian Herr, vice president of enterprise data privacy software firm Privitar Ltd., said the situation underscores the critical need for businesses to integrate both security- and privacy-preserving strategies to protect their sensitive customer data.

“While established security technologies (e.g. firewalls, access control and traffic monitoring) prevent unauthorized access to sensitive data and reduce the likelihood of data leakage, they provide no protection when data is in use or once it leaks,” Herr said. “This level of protection requires data privacy, which controls what can be learned and can prevent exposure of individuals and thereby reduces or eliminates the consequences of a data breach or misuse, whether inadvertent or malicious.”

Photo: Instacart