A Cybersecurity Expert Believes Instacart Was Hacked, but the Company Denies It

The coronavirus pandemic has forced people to find more creative ways to go about their daily lives. Work meetings and classes have been entirely conducted over Zoom, and food delivery services like Amazon Prime Pantry, Uber Eats, DoorDash, and Instacart have had remarkable surges in usage in the past few months, with some even temporarily shut down from overuse.

Now, however, Instacart users are scared their accounts may have been "hacked."

It's been reported that denizens of the "dark web" are now able to purchase private data from 278,531 Instacart accounts, but there's reason to believe that a lot of these credentials are either a combination of duplicates and/or "burners."

Instacart currently has, according to a company spokesperson, "millions of customers across the U.S. and Canada."

The grocery delivery service has denied that there's been a data breach, BuzzFeed reports: "We are not aware of any data breach at this time. We take data protection and privacy very seriously. Outside of the Instacart platform, attackers may target individuals using phishing or credential stuffing techniques."

The service's spokesperson continued, "In instances where we believe a customer’s account may have been compromised through an external phishing scam outside of the Instacart platform or other action, we proactively communicate to our customers to auto-force them to update their password."

Customers who use Instacart have confirmed that their information has been leaked on the dark web, and a cybersecurity expert, Nick Espinosa, has said that the leak does seem like it's happened, saying that, "after reviewing the data [from the alleged hack], that it looked 'recent and totally legit.'"

However, the source of the "breach" can be password "sniffing" programs associated with other sites that have become compromised. This is where using duplicate passwords becomes a problem.

Speaking from personal experience, I had my Netflix account continually logged into and "commandeered" multiple times a day. My Netflix email address was then changed so I couldn't log into my account. I ultimately solved the problem by changing the email address associated with my Netflix, but if I kept it as my original Gmail account, no matter how many times I changed my password, the issue kept popping up.

If this is occurring to you on a site or service that doesn't have dual-factor authentication, your best course of action could be just using a new email address entirely to verify. Previous password usage is a common way for "hacking" programs to get a hold of your personal credentials, so beware.

It's hard to say as of now as Instacart still maintains that there hasn't been a breach of data, but as anyone who was involved in Sony Playstation store's data breach or the recent Equifax credit disaster knows, those narratives can change over time. 

As to what this personal information is being used for, it's basically a very illegal form of what Facebook does with Cambridge Analytica. While data-gathering companies sell your personal data that users willingly set up on social media sites (the "contract" you sign for joining a free service) to a slew of marketing and advertising companies to pointedly get products and services pushed to your face, it's not hard to imagine that dark web frequenters may have more nefarious plans.

Using your account credentials, if they're the same on other sites, could have them gain access to your other personal accounts. If you have a bunch of data stored on the cloud, they can then scan those files to see if there are any sensitive documents on there containing financial information or photos of ID cards, birth certificates, driver's license numbers, etc.

Identify theft is a $6 billion a year business minimum, after all.