Instacart users’ personal data, including order history, is reportedly being sold online

From The Verge: The personal data of hundreds of thousands of Instacart users is being sold on the dark web for around $2 per person, according to a report from BuzzFeed.

The publication says information including “names, the last four digits of credit card numbers, and order histories” appearing to belong to 278,531 Instacart accounts is available to buy. (Though it’s impossible to verify that this number doesn’t include duplicates or incorrect data.) BuzzFeed did confirm with two Instacart users that the order date, transaction amount, and credit card numbers included in the cache matched their recent purchases. The data also includes users’ emails addresses.

Instacart denies that there’s been a data breach of its systems, but says it’s investigating the issue and has reached out to potentially affected users. A spokesperson for the company told The Verge that it was contacting customers whose data might have been compromised not because of a data breach, but because of phishing attacks or credential stuffing.

Credential stuffing is where hackers take login information posted online as a result of leaks or breaches and use it to try and access different accounts belonging to the same targets. It’s often successful because people tend to re-use passwords across the web.

View: Full Article