UPDATED 23:00 EDT / JULY 23 2020

SECURITY

Stolen Instacart customer records found for sale on the dark web

About 270,000 Instacart Inc. customer records have been found for sale on the dark web, but the company is denying that it has experienced a data breach.

Discovered by Buzzfeed News and revealed Wednesday, the records, which are being sold for around $2 each, include customer name, email address, order history and the last four digits of the customer’s credit card number. The data was first listed for sale in April on two different marketplaces on the dark web, a shady part of the internet reachable with special software, with the records on offer being regularly updated.

Instacart is denying that its systems have been breached, saying instead that the data was stolen through credential stuffing. The method involves hackers using compromised account details from other hacks to gain access to an account on another site, since people often reuse credentials including passwords across multiple sites.

“In this instance, it appears that third-party bad actors were able to use usernames and passwords that were compromised in previous data breaches of other websites and apps to log in to some Instacart accounts,” Instacart said in a post on Medium.

Instacart said that it was taking a number of steps to support those impacted as well as ensuring the security of its platform. Affected customers are having their passwords reset and are being advised to use unique, strong passwords that they do not use on any other apps or website.

While seemingly not to blame directly, Instacart came in for criticism.

“From the information that has been released thus far, we know that Instacart allows users to use three possible methods of authentication: an Instacart account, Google and Facebook,” Thomas Richards, principal security consultant at electronic design automation company Synopsys Inc., told SiliconANGLE. “While Google and Facebook appear to have strong account password policies and protections, Instacart’s password policy only requires six characters. This is below the industry standard and is considered a weak password policy.”

Brian Herr, vice president of enterprise data privacy software firm Privitar Ltd., said the situation underscores the critical need for businesses to integrate both security- and privacy-preserving strategies to protect their sensitive customer data.

“While established security technologies (e.g. firewalls, access control and traffic monitoring) prevent unauthorized access to sensitive data and reduce the likelihood of data leakage, they provide no protection when data is in use or once it leaks,” Herr said. “This level of protection requires data privacy, which controls what can be learned and can prevent exposure of individuals and thereby reduces or eliminates the consequences of a data breach or misuse, whether inadvertent or malicious.”

Photo: Instacart

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU