Instacart blames 270,000 compromised accounts on customer reuse of emails and passwords

Instacart is blaming a rash of account breaches on customers reusing compromised passwords. 

In a statement posted this week, Instacart said that ‘credential stuffing’ in which hackers use compromised passwords and emails to attempt to infiltrate victims’ accounts was to blame.

Hackers used a method known as brute-force which automates the process of entering passwords and emails. 

‘Internally, we’ve assembled a cross-functional team to promptly investigate this issue and provide an update to our customers,’ Instacart said in a statement.

Instacart says the 270,000 breached accounts were the result of credential stuffing in which hackers were able to exploit reused passwords and emails

‘Our teams have been working around the clock to quickly determine the validity of reports related to site security and so far our investigation has shown that the Instacart platform was not compromised or breached.’

Instacart also said that it hasn’t recorded any breaches of its own internal securiry.

‘In this instance, it appears that third-party bad actors were able to use usernames and passwords that were compromised in previous data breaches of other websites and apps to login to some Instacart accounts,’ the company said in a statement. 

Instacart’s statement follows a report from Buzzfeed which found that personal information of 270,000 accounts, including user’s name, address, the last four digits of their credit card, in addition to their order histories from as recently as this week for sale on the dark web.

While Instacart appears to be shifting the blame to users, the company has yet to allow two-factor authentication which sets up an extra layer of security using a customer’s phone number.

In a statement to Techcrunch, Instacart refused to comment on whether the company plans to roll out two-factor authentication in the future.