Instacart responded to reports of 278,531 customer accounts for sale on the Darknet, though it is believed that some may be duplicates or fakes. According to a company spokesman, no data breach of Instacart systems took place, but they believe the accounts were compromised due to reused passwords which were pulled from other data breaches. The account compromises have exposed customer names, addresses, information on past orders, and the last four digits of customer credit cards. Instacart’s security team stated that it does not appear that all of these details were pulled from every impacted customer account. Instacart is contacting any customers believed to have been impacted by threat actors through external breaches or phishing attacks and will require their passwords to be updated.
Compromising accounts through reused passwords is nothing new or unique—this technique is commonly referred to as credential stuffing. Far too many people use either the same or similar credentials across multiple accounts. Threat actors know this and exploit it regularly by trying these credentials as well as small variations on them against a number of websites in order to compromise accounts on other sites. This is why it is vitally important that users make it their common practice to utilize password management services to create unique and complex credentials for every account that they have. Any users who have made it a practice to reuse identical or similar credentials across multiple systems should begin phasing out those passwords in favor of more secure password policies. Credential stuffing is especially damaging when used against corporate accounts to access VPN, Office365, Google G Suite or other services that provide access to sensitive company information. The Binary Defense Counterintelligence service provides monitoring and advanced warning for corporate account email addresses compromised in third-party data breaches that are sold on the Darknet. More information on this incident can be found at https://www.pymnts.com/news/security-and-risk/2020/instacart-blames-reused-passwords-for-account-hacks/