Expert Insight On Instacart Customers’ Personal Data Sold On Dark Web

By   ISBuzz Team
Writer , Information Security Buzz | Jul 24, 2020 02:15 am PST

The personal details of the Instacart customers are sold on dark web conatining the last four digits of credit card numbers, and order histories. The information is being sold by sellers on two dark wen stores and has impacted “millions of customers across the US and Canada,” according to a company spokesperson.

Notify of
5 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Chloé Messdaghi
Chloé Messdaghi , VP of Strategy
July 24, 2020 10:30 am

It appears that once again, we’re seeing how important it is to keep your security platforms and staff in top form. This is the most personal information – where someone lives, their buying habits, etc., and esp. for people living alone, their information has been made public. The most likely bet is that this is a phishing situation. The most important thing is to let customers know their data is out there and urge them to change passwords and monitor accounts. These are historic times and some bad actors are driven to these types of attacks by urgent financial need.

This hack was likely a social engineering attack – and unfortunately, many people don’t know what social engineering is and how they’re put at risk. This underscores that companies have got to educate their employees and take this type of threat more seriously, and constantly upskill their cybersecurity teams. Phishing isn’t a security stack problem – the human element is the primary driving factor. Until employees understand the implications of bad clicks, they’re bound to be apathetic because they’ve never been directly affected by their company’s cyber issues.

Last edited 3 years ago by Chloé Messdaghi
Paul Martini
Paul Martini , CEO
July 24, 2020 10:28 am

The reporting suggests this data is definitely legitimate. If there was a breach of this size that occurred — and all signs suggest that it has — it shows how vulnerable cloud data and infrastructure is if not properly managed. This should call into question what cybersecurity decisions are being made while building and creating cloud services for consumers. With a proper cybersecurity program leveraging appropriate (and very accessible) monitoring and reporting tools, this type of breach is greatly reduced as the volume of sensitive data leaving the network is easily identified and prevented.

Last edited 3 years ago by Paul Martini
Chris Clements
July 24, 2020 10:26 am

Attribution is a common problem for data posted for sale on dark web forums. It’s possible that Instacart has unknowningly suffered a breach, but it’s also possible that the leak came from a third party with access to Instacart’s data. The unfortunate thing is that most organizations do not have good enough insight to how their data is accessed or where it may have proliferated to. Even if Instacart’s main service has not been compromised, it’s possible that a development or support technician may have copied live customer data to their local machine or synced it to cloud services such as Dropbox. Once data leaks out of main channels in such ways, it can be difficult if not impossible to identify where it may have been exposed to cybercriminals. 278,531 accounts may be a minority of Instacart’s customer base, but it’s large enough that it’s unlikely to have stemmed from a phishing campaign targeting individual Instacart users. It’s important that all organizations have appropriate controls to secure and actively monitor data that their users entrust them with, however, doing so internally is often a much more difficult and expensive challenge than most business first assume. This leads to gaps in visibility that more often than not lead to security breaches.

Last edited 3 years ago by Chris Clements
Chris Hauk
Chris Hauk , Consumer Privacy Champion
July 24, 2020 10:24 am

The Instacart breach serves as a reminder to all credit card users to keep an eye on all of their credit card accounts for unusual activity. This is especially true for credit cards that have been used to order anything online. If you see any unusual activity on your credit card statements, immediately call your card issuers to dispute the charges and to receive a new card. It is also wise to invest in credit monitoring services to warn you of any possible identity theft attempts.

Last edited 3 years ago by Chris Hauk
Thomas Richards
Thomas Richards , Principal Consultant
July 24, 2020 10:17 am

\”From the information that has been released thus far, we know that Instacart allows users to use three possible methods of authentication: an Instacart account, Google, and Facebook. While Google and Facebook appear to have strong account password policies and protections, Instacart’s password policy only requires 6 characters. This is below the industry standard and is considered a weak password policy. I don’t believe phishing is a likely attack vector in this case, as it would take much more effort than the selling price would offer. However, credential stuffing—using common passwords or passwords obtained from a data breach—are a likely path to account compromise. I would recommend that Instacart investigate if there were a high number of failed login attempts on accounts which would indicate an attempt to password spray/stuff while also looking for login attempts from invalid users.

Last edited 3 years ago by Thomas Richards

Recent Posts

Would love your thoughts, please comment.x