The skinny on the Instacart breach

The skinny on the Instacart breach

The COVID-19 outbreak has affected many facets of our lives—from how we visit our families, socialize with friends, meet with colleagues, to how we should be conducting ourselves outside of our homes. Ideally, a few meters apart from everyone else and with a mask on.

These—on top of imposed lockdowns—have pushed most people to stay indoors, pushing them to do almost everything they want to do in real life online. This includes grocery shopping.

It is no wonder, then, to see a sudden spike in app downloads of food and grocery delivery apps. Similarly, it is also not a wonder to see that it didn’t take long for those with ill intent to find a way to score big from brands behind these apps. Or have they really?

Instacart, one of the top three brands in the grocery and pick-up services in the world, was recently believed to be hacked, after more than 270,000 accounts of its clients were seen being peddled in the Dark Web. It was reported that these accounts contained information, such as names, addresses, credit card data, and transaction history.

BuzzFeed News, who initially reported the incident, have indicated that some affected parties were interviewed and confirmed that, upon being shown data taken from breach, confirmed it was indeed their data being sold. A cybersecurity expert who also looked at some of the data put more weight into its the breach’s validity.

Days after the report, however, Instacart denied that a security breach happened. “Our teams have been working around the clock to quickly determine the validity of reports related to site security and so far our investigation had shown that the Instacart platform was not compromised or breached,” the company wrote in a Medium post.

Instead, the company asserted the belief that the reason client accounts may have been broken into was because their clients had been reusing login credentials.

As you may already know, password reuse is a huge cybersecurity problem, where the onus rests on users who continue to use the same username-password combinations on a lot or all their online accounts. This results in a chain of compromises for one individual. If an Instacart customer uses the same credentials to access their Twitter feed, Facebook page, favorite online magazine or news sites, online banking, or cloud storage accounts, for example, a compromise on any one of those sites would result in compromise for all the others.

While the reuse of credentials is indeed a known cybersecurity problem, solving it should not be up to users alone. One cannot help but wonder if all 278,531 accounts affected by the breach were because people had been reusing username-password combinations.

Whether you’re on the side of “Yes, they’ve been breached!” or “No, they’re securing my data well,” one thing is certain: Instacart shoppers and Internet users should play our part in keeping our online accounts as impenetrable as possible. While making sure you don’t reuse username and password combinations between accounts is one way to secure against multiple breaches, it’s certainly not full-proof protection.

If remembering passwords is challenging, you can always enlist the help of a trusty password manager that will serve as your memory and keep your credentials (and other important bite-size information) encrypted and away from prying eyes. For added security, use two-factor/multi-factor authentication.

On the one hand, security is not just the customers’ problem. Companies like Instacart should play their part, too, and own their piece of the pie. They can start doing this by securing their websites against hacks with credential stuffing, credit card skimmers, and other threats that target customer accounts. Multi-factor authenticate new clients to the platform and inform or push old ones to enable this feature for their existing accounts.

Of course, this should not be the end of securing user data for companies. Privacy compliance, PCI compliance, and encrypting data at rest and in transit are key to keeping customer credentials secure. Otherwise, organizations may find themselves skewered on Reddit.

Stay safe, shopper!