Some 278,531 Instacart customer records have reportedly been hacked, and are for sale on the dark web. The data includes names, email addresses, the last four digits of credit card numbers, and order histories …

Instacart denies that there has been any breach, and says that if any data is real, it didn’t come from them.

“We are not aware of any data breach at this time. We take data protection and privacy very seriously,” an Instacart spokesperson told BuzzFeed News. “Outside of the Instacart platform, attackers may target individuals using phishing or credential stuffing techniques. In instances where we believe a customer’s account may have been compromised through an external phishing scam outside of the Instacart platform or other action, we proactively communicate to our customers to auto-force them to update their password.”

However, a security researcher who reviewed the data says the Instacart customer records appear genuine, and BuzzFeed was able to verify details with two customers whose data was included.

“It’s looking recent and totally legit,” Nick Espinosa, the head of cybersecurity firm Security Fanatics, told BuzzFeed News after reviewing the accounts being sold.

Two women whose personal information was for sale confirmed they were Instacart customers, that their last order date and amount matched what appeared on the dark web, and that the credit card information belonged to them […]

The account information was being sold for around $2 per customer. According to one of the websites where the information was being sold, the personal data of people using Instacart accounts had been added throughout June and July, with the most recent upload being July 22.

The breach has not yet been added to, a site which verifies breaches, lets you search for your email address to see if your data has been obtained, and proactively notifies registered users if their email address is included in a breach.

As with any reported breach, it’s advisable to change your password and especially ensure that you have not re-used the password elsewhere. If you have, you should change your password on all relevant sites, and use a password manager to enable you to use unique, strong passwords for every site, app, and service. Two-factor authentication should also be used to protect your privacy whenever it is available.

FTC: We use income earning auto affiliate links. More.

AnyBackup autobackup 100W charger

Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear