The personal details of the Instacart customers are sold on dark web conatining the last four digits of credit card numbers, and order histories. The information is being sold by sellers on two dark wen stores and has impacted “millions of customers across the US and Canada,” according to a company spokesperson.
The names, credit card numbers, and order histories of Instacart customers are being sold online without their knowledge https://t.co/Ao96WwaHm3
— BuzzFeed News (@BuzzFeedNews) July 23, 2020
\”From the information that has been released thus far, we know that Instacart allows users to use three possible methods of authentication: an Instacart account, Google, and Facebook. While Google and Facebook appear to have strong account password policies and protections, Instacart’s password policy only requires 6 characters. This is below the industry standard and is considered a weak password policy. I don’t believe phishing is a likely attack vector in this case, as it would take much more effort than the selling price would offer. However, credential stuffing—using common passwords or passwords obtained from a data breach—are a likely path to account compromise. I would recommend that Instacart investigate if there were a high number of failed login attempts on accounts which would indicate an attempt to password spray/stuff while also looking for login attempts from invalid users.
The Instacart breach serves as a reminder to all credit card users to keep an eye on all of their credit card accounts for unusual activity. This is especially true for credit cards that have been used to order anything online. If you see any unusual activity on your credit card statements, immediately call your card issuers to dispute the charges and to receive a new card. It is also wise to invest in credit monitoring services to warn you of any possible identity theft attempts.
Attribution is a common problem for data posted for sale on dark web forums. It’s possible that Instacart has unknowningly suffered a breach, but it’s also possible that the leak came from a third party with access to Instacart’s data. The unfortunate thing is that most organizations do not have good enough insight to how their data is accessed or where it may have proliferated to. Even if Instacart’s main service has not been compromised, it’s possible that a development or support technician may have copied live customer data to their local machine or synced it to cloud services such as Dropbox. Once data leaks out of main channels in such ways, it can be difficult if not impossible to identify where it may have been exposed to cybercriminals. 278,531 accounts may be a minority of Instacart’s customer base, but it’s large enough that it’s unlikely to have stemmed from a phishing campaign targeting individual Instacart users. It’s important that all organizations have appropriate controls to secure and actively monitor data that their users entrust them with, however, doing so internally is often a much more difficult and expensive challenge than most business first assume. This leads to gaps in visibility that more often than not lead to security breaches.
The reporting suggests this data is definitely legitimate. If there was a breach of this size that occurred — and all signs suggest that it has — it shows how vulnerable cloud data and infrastructure is if not properly managed. This should call into question what cybersecurity decisions are being made while building and creating cloud services for consumers. With a proper cybersecurity program leveraging appropriate (and very accessible) monitoring and reporting tools, this type of breach is greatly reduced as the volume of sensitive data leaving the network is easily identified and prevented.
It appears that once again, we’re seeing how important it is to keep your security platforms and staff in top form. This is the most personal information – where someone lives, their buying habits, etc., and esp. for people living alone, their information has been made public. The most likely bet is that this is a phishing situation. The most important thing is to let customers know their data is out there and urge them to change passwords and monitor accounts. These are historic times and some bad actors are driven to these types of attacks by urgent financial need.
This hack was likely a social engineering attack – and unfortunately, many people don’t know what social engineering is and how they’re put at risk. This underscores that companies have got to educate their employees and take this type of threat more seriously, and constantly upskill their cybersecurity teams. Phishing isn’t a security stack problem – the human element is the primary driving factor. Until employees understand the implications of bad clicks, they’re bound to be apathetic because they’ve never been directly affected by their company’s cyber issues.