Instacart told Grocery Dive it has a security team and multiple layers of security measures across common vectors designed to protect its customers. If the company felt like customers’ accounts were compromised, Instacart said it would send shoppers a message to auto-force them to change their login info.
But Instacart said it cannot control attackers that may target individuals outside of its platform using phishing or credential stuffing techniques. This happens when someone uses similar login credentials across multiple websites and apps.
A cybersecurity expert told BuzzFeed the information collected looks recent and “legit” after reviewing the accounts. And two women whose personal information was for sale on the dark web confirmed they were Instacart users and that their order history and credit card numbers matched, according to BuzzFeed.
One of the women told BuzzFeed she does not reuse passwords on different websites and apps.
As cyber attacks grow increasingly sophisticated and e-commerce continues to gain momentum, grocery delivery companies and retailers have become targets for hackers, making cybersecurity a priority for these companies.
In 2017, Target had to fork over $18.5 million to 47 states as part of a settlement over a security breach that occurred in 2013 and compromised credit card numbers and other information from millions of consumers.
In 2019, Hy-Vee found that its payment systems were breached by malware at certain point-of-sale systems at its fuel stations, drive-thru coffee shops, Market Grille, Wahlburgers and the cafeteria at its headquarters. At one point, grocers were the top channel for data breaches.
This article originally appeared in GroceryDive.