With the threat of coronavirus, a lot of us have been grocery shopping via Instacart — which means our data may now be for sale on the dark web. Buzzfeed discovered the account information from nearly 280,000 Instacart users for sale online, and while Instacart has millions of users, that's a sizable number.
The data includes names, email addresses, the last four digits of credit card numbers and order history from June and July 2020 — some of it as recent as this Wednesday. Though this data may include duplicates or fake accounts, at least some of it's accurate: customers whose data is on sale have confirmed their information and order history is correct.
However, Instacart claims it hasn't been hacked. Instead, it blames users for poor security practices, like reusing passwords or accidentally revealing their passwords in phishing attacks. That implies that the thieves used stolen passwords to log on to individual accounts and grab data. Because many of us reuse passwords, this is possible — but Instacart could have also taken more security precautions to help users protect their data. Supporting two-factor authentication, requiring users to do additional account verification if their account is accessed from an unknown source, or emailing the user when their account is accessed could have stopped (or at least slowed) this kind of data theft.
Note that if you use Google or Facebook to log into Instacart and have two-factor authentication turned on for these accounts, your data should be safe.
How to protect your data
Users can take actions to protect their data in the future. Instacart claims affected users are required to create a new password before they log in next — but we recommend changing your password even if Instacart doesn't ask you to. When you change your password, make sure to use a strong one that you don't use on any other website. It can be tough to remember all of these passwords, so we suggest using a secure password manager to keep track and help generate strong, random passwords. And, if you use Google or Facebook to log into Instacart and don't have two-factor authentication (2FA) turned on, turn it on (Here's how to turn on 2FA for Google and for Facebook.).
It's also a good idea to keep an eye on data breaches so you know whether your passwords have been stolen. You can sign up for emails from Have I Been Pwned that will tell you when accounts with your information have been compromised in a data breach. If they are, you should change your password for the site (and any other sites using the same password) immediately. Many password managers and some browsers will also tell you when your passwords have been compromised, so it's easier than ever to keep tabs on your account security.
If websites offer two-factor authentication, which requires you to enter a password and verify your identity by a second method, you should use it. This often means entering a code from a text message or a security app when you enter your password, which makes it much more difficult for people to get into your accounts. You can easily check whether sites you use offer two-factor authentication by doing a simple search on TwoFactorAuth.org. Not many ecommerce sites offer it, but you should still check and set it up whenever it is available.
Even though full credit card numbers don't seem to be compromised in this Instacart breach, you should watch your credit card bill for fraudulent charges. (To make this easier, many companies let you sign up for alerts if they see a suspicious charge.) Any information hackers acquire can help them commit fraud, and it's better to be safe than sorry. If you see any unfamiliar charges, you should contact your credit card company immediately.
If your data has been stolen, there's no getting it back — but you can protect yourself from future theft.
[Image credit: Instacart]