Expert Comments

Expert Insight On Instacart Customers’ Personal Data Sold On Dark Web

Expert(s): Security Experts
Expert(s): Security Experts

The personal details of the Instacart customers are sold on dark web conatining the last four digits of credit card numbers, and order histories. The information is being sold by sellers on two dark wen stores and has impacted “millions of customers across the US and Canada,” according to a company spokesperson.

Experts Comments

Dot Your Expert Comments
Chloé Messdaghi
July 24, 2020
VP of Strategy
Point3 Security

These are historic times and some bad actors are driven to these types of attacks by urgent financial need.
It appears that once again, we’re seeing how important it is to keep your security platforms and staff in top form. This is the most personal information – where someone lives, their buying habits, etc., and esp. for people living alone, their information has been made public. The most likely bet is that this is a phishing situation. The most important thing is to let customers know their data is out there and urge them to change passwords and monitor accounts. These are historic times and.....Read More
It appears that once again, we’re seeing how important it is to keep your security platforms and staff in top form. This is the most personal information – where someone lives, their buying habits, etc., and esp. for people living alone, their information has been made public. The most likely bet is that this is a phishing situation. The most important thing is to let customers know their data is out there and urge them to change passwords and monitor accounts. These are historic times and some bad actors are driven to these types of attacks by urgent financial need. This hack was likely a social engineering attack – and unfortunately, many people don’t know what social engineering is and how they’re put at risk. This underscores that companies have got to educate their employees and take this type of threat more seriously, and constantly upskill their cybersecurity teams. Phishing isn’t a security stack problem – the human element is the primary driving factor. Until employees understand the implications of bad clicks, they’re bound to be apathetic because they’ve never been directly affected by their company’s cyber issues.  Read Less
Paul Martini
July 24, 2020
CEO
iboss

The reporting suggests this data is definitely legitimate.
The reporting suggests this data is definitely legitimate. If there was a breach of this size that occurred — and all signs suggest that it has — it shows how vulnerable cloud data and infrastructure is if not properly managed. This should call into question what cybersecurity decisions are being made while building and creating cloud services for consumers. With a proper cybersecurity program leveraging appropriate (and very accessible) monitoring and reporting tools, this type of breach.....Read More
The reporting suggests this data is definitely legitimate. If there was a breach of this size that occurred — and all signs suggest that it has — it shows how vulnerable cloud data and infrastructure is if not properly managed. This should call into question what cybersecurity decisions are being made while building and creating cloud services for consumers. With a proper cybersecurity program leveraging appropriate (and very accessible) monitoring and reporting tools, this type of breach is greatly reduced as the volume of sensitive data leaving the network is easily identified and prevented.  Read Less
Chris Clements
July 24, 2020
VP
Cerberus Sentinel

It’s possible that Instacart has unknowningly suffered a breach.
Attribution is a common problem for data posted for sale on dark web forums. It’s possible that Instacart has unknowningly suffered a breach, but it’s also possible that the leak came from a third party with access to Instacart’s data. The unfortunate thing is that most organizations do not have good enough insight to how their data is accessed or where it may have proliferated to. Even if Instacart’s main service has not been compromised, it’s possible that a development or support.....Read More
Attribution is a common problem for data posted for sale on dark web forums. It’s possible that Instacart has unknowningly suffered a breach, but it’s also possible that the leak came from a third party with access to Instacart’s data. The unfortunate thing is that most organizations do not have good enough insight to how their data is accessed or where it may have proliferated to. Even if Instacart’s main service has not been compromised, it’s possible that a development or support technician may have copied live customer data to their local machine or synced it to cloud services such as Dropbox. Once data leaks out of main channels in such ways, it can be difficult if not impossible to identify where it may have been exposed to cybercriminals. 278,531 accounts may be a minority of Instacart’s customer base, but it’s large enough that it’s unlikely to have stemmed from a phishing campaign targeting individual Instacart users. It’s important that all organizations have appropriate controls to secure and actively monitor data that their users entrust them with, however, doing so internally is often a much more difficult and expensive challenge than most business first assume. This leads to gaps in visibility that more often than not lead to security breaches.  Read Less
Chris Hauk
July 24, 2020
Consumer Privacy Champion
Pixel Privacy

This is especially true for credit cards that have been used to order anything online.
The Instacart breach serves as a reminder to all credit card users to keep an eye on all of their credit card accounts for unusual activity. This is especially true for credit cards that have been used to order anything online. If you see any unusual activity on your credit card statements, immediately call your card issuers to dispute the charges and to receive a new card. It is also wise to invest in credit monitoring services to warn you of any possible identity theft attempts.
Thomas Richards
July 24, 2020
Principal Consultant
Synopsys

Google and Facebook appear to have strong account password policies and protections
"From the information that has been released thus far, we know that Instacart allows users to use three possible methods of authentication: an Instacart account, Google, and Facebook. While Google and Facebook appear to have strong account password policies and protections, Instacart’s password policy only requires 6 characters. This is below the industry standard and is considered a weak password policy. I don’t believe phishing is a likely attack vector in this case, as it would take much .....Read More
"From the information that has been released thus far, we know that Instacart allows users to use three possible methods of authentication: an Instacart account, Google, and Facebook. While Google and Facebook appear to have strong account password policies and protections, Instacart’s password policy only requires 6 characters. This is below the industry standard and is considered a weak password policy. I don’t believe phishing is a likely attack vector in this case, as it would take much more effort than the selling price would offer. However, credential stuffing—using common passwords or passwords obtained from a data breach—are a likely path to account compromise. I would recommend that Instacart investigate if there were a high number of failed login attempts on accounts which would indicate an attempt to password spray/stuff while also looking for login attempts from invalid users.  Read Less

Dot Your Expert Comments


Only for registered and approved experts. Please register before providing comments. Register here
* By using this form you agree with the storage and handling of your data by this web site.
Submit
0
FacebookTwitterLinkedinWhatsappEmail

You may also like

ObliqueRAT Trojan Lurks On Compromised Websites – Experts Comments

Microsoft Multiple 0-Day Attack – Tenable Comment

Experts Reaction On Malaysia Airlines 9 Years Old Data Breach

IoT Security In The Spotlight, As Research Highlights Alexa Security...

Oxfam Australia Confirms ‘Supporter’ Data Accessed In Cyber Attack

Expert Reaction On Solarwinds Blames Intern For Weak Passwords

Expert Reaction On Go Is Becoming The Language Of Choice...

Experts On Google Voice Outage

Expert Reaction On GCHQ To Use AI In Cyberwarfare

Comment: Hackers Break Into ‘Biochemical Systems’ At Oxford Uni Lab...