
The personal info of what could be Instacart customers is being sold online - coloneltcb
https://www.buzzfeednews.com/article/janelytvynenko/instacart-customers-info-sold-online
======
iamyi
I am not surprised. Recently I had an issue with Instacart when somehow one of
my order was charged back. The Trust team at Instacart insisted that I pay up
and refused to investigate their system, after I provided a lot of evidence of
how their system is mixing up my account with somebody else’s and there is a
bug in their integration with Costco. After more than a week of back and force
they closed my account. I decided to reopen it by paying the charged back
amount because without it I can shop at Costco. Guess what, after the account
was reopened, the other transaction delivered to another person living in
another state is still showing up in my account, including t heir other
private information like cell phone numbers and CC digits. I decided it’s
better to buy from amazon instead of costco with Instacart. It’s beyond me why
their trust department refused to investigate their system with obvious
evidence for bugs, and I don’t want to text the other person in my account to
notify him that his private information has been compromised, because the
communication with Instacart made me feel that I am guilty.

If you use Instacart to buy from Costco, be aware.

~~~
mattigames
Just tangentially related but recently I tried to buy something from an online
store called Adorama and when I tried to place an order I got the notification
of the charge from my bank after clicking the order button but the page didn't
do anything, initially I though "well lets just get in touch with customer
support, pretty sure they can see the charge and let me know what happen with
it" oh boy was I wrong, their customer support only has access to orders not
transactions, so when a bug in their website charged me without creating an
order there is nothing they can do at all; all they did is recommend me to ask
my bank to do a chargeback, but my bank says I need to wait 30 days after the
transaction to so. So yeah, my lesson was the same, I should have had stick
with Amazon because smaller stores just can't be trusted with handling
purchases correctly.

~~~
WrtCdEvrydy
Privacy.com... is my thing for this reason.

~~~
therockspush
as soon as you can use a credit card to fund it, perfection.

~~~
WrtCdEvrydy
that will probably not happen because they would be eating a credit card
fee...

that service only works because they become the credit card processor and get
to pocket the card fee...

------
save_ferris
It's weird to me that we're hearing about this from the press instead of
Instacart. If a suspected data dump of Instacart user data made its way to the
dark web, surely it wouldn't be difficult for Instacart to buy a subset of it
and confirm or deny its validity.

If I was an Instacart customer, I'd feel a lot more comfortable with a
preliminary "we're aware and looking into this" statement from Instacart
directly as opposed to doing nothing and telling the press that they don't
know anything.

When a data dump like this hits the dark web, are companies even legally
obligated to look into it?

~~~
Animats
In California, yes.[1]

Instacart has not yet reported this breach to the California attorney general,
like they're supposed to.[2] There's a long list of companies with data
breaches there.

[1]
[https://leginfo.legislature.ca.gov/faces/codes_displaySectio...](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.82)

[2]
[https://www.oag.ca.gov/privacy/databreach/list](https://www.oag.ca.gov/privacy/databreach/list)

~~~
elliekelly
Keep in mind that developers hear a user needs to be notified in “the most
expedient time possible” and think minutes or hours but the lawyers read that
and are thinking days or potentially even weeks in some circumstances. Just
because Instacart hasn’t notified anyone yet doesn’t mean they won’t or that
they’ve failed to comply with the obligation.

~~~
save_ferris
Then the law sounds ineffective to me. There are security researchers featured
in this article saying that this dump looks legit, and Instacart still gets to
pretend like everything is normal? User data could wind up sitting on the dark
web for weeks before Instacart finally gets around to notifying them of the
breach.

Tools like haveibeenpwned typically rely on companies' cooperation to report
breaches since "data breach" is a legal term. But since Instacart still hasn't
reported this, do the security tools get updated in a timely way, or are there
millions of credit cards and passwords sitting up for sale while lawyers
figure out how to handle the legal side of this?

------
tialaramex
I used to deal with this sort of stolen data (wow, it seems like a long time
ago now). A big pile arrived every single morning before dawn.

At this scale you'd expect to find clear evidence it was Instacart users e.g.
an account with email address dave+instacart@davesdomain.example. If there's
nothing like that in the data then it's immediately suspicious, a small site
might just not have any users with such breadcrumb trails in their email but a
big dump like this should statistically have something because there are lots
of people (including me) using a breadcrumb for every account.

This is how I know for sure that one of the banks I used years ago lost all
their customer email/ name data even though they denied this at the time when
it was news. I get scam emails to the address I gave them even now.

You'd also expect a company that cares about its users data to have plausible
looking "watermark" accounts that trip alarms and so they'd be able to confirm
this is their data. Even, if they did a proper job, what the source was (e.g.
if you send a subset of data to a partner organisation you can add more
watermark data and that lets you know if the data is stolen from that partner)

~~~
nsomaru
Have always been curious about this; if you stole data or are using stolen
data why wouldn’t you just strip out the breadcrumb?

~~~
tialaramex
Two answers for that:

1\. Crooks are lazy. Actually _humans_ are lazy and crooks are human, but even
more so criminal activity doesn't tend to come with any quality control. Even
obvious data cleanup like fixing escaping often isn't done, because there's no
incentive.

2\. Breadcrumbs tend to be obvious to a human but a variety of schemes might
be employed which means automation to strip them would need to be relatively
sophisticated or it'll miss many of them. I used to use breadcrumbs of the
form emanniamodXX@my-breadcrumb-domain.vanity.example where XX is two digits
signifying when I updated this email address, like maybe 14 means May/June
2009. A human can stare at that address, see it says domainname backwards and
realise it's a breadcrumb. But a trivial regex match will miss it.

~~~
ChrisMarshallNY
I’ve been using spamex for years. You can generate completely random email
addresses.

------
ajsharp
"The company denied there had been a breach of its data."

This is about as serious a breach as it gets. To have (or claim) zero
knowledge of it is pretty bad.

If the details of the story are correct, it would imply the attackers had full
database access. I would not be surprised to learn the attack vector was
gaining a privileged user's credentials, similar to the Twitter hack.

~~~
andykx
It is possible that they phished a few users (or used account details from
another leak) and the rest of the data is BS.

I don't think they're claiming zero knowledge. They're doing the exact
opposite: they're saying they have complete knowledge, and that it simply
didn't happen. I hope, for their sake, that they are correct.

------
DivisionSol
Anecdotal: Got hit with a password lock on a pretty unused Instacart account
~7 days ago (Jul 15).

Possibly a password leak from another site resulting in a targeted large-scale
account access to download customer data from a leaky API? (Baseless
commentary.)

~~~
cco
I had a similar thing happen last week with DoorDash, after the first two I
contacted their privacy@ address and requested an account deletion via CCPA.

~~~
dylan604
Isn't that closing the barn door after the horses left?

~~~
wastedhours
Not necessarily - if you catch it on unsuccessful login attempts and have no
evidence they got into the account, it's likely they moved onto the next email
address in their list and you can still go in and delete the account pre-
compromise.

------
pilingual
Back in March I started getting Instacart support emails for "Jocelyn Joans"
concerning Redwood City Safeway (not nearby). Instacart.com produced an error
when I tried to log in or reset my password. Since my email is unique for
Instacart, I hadn't used Instacart in 5 years, and I did not have any
Instacart correspondence in my email, there's very likely only one way someone
could have accessed my account.

I sent an email to legal@ demanding my account be removed and to follow up
that it had been done. The support emails stopped but I never heard from
Instacart.

Edit: added “very likely;” clarity.

~~~
woutr_be
> I sent an email to legal@ demanding my account be removed and to follow up
> that it had been done. The support emails stopped but I never heard from
> Instacart after that.

I must've send close to 50 of these emails to different companies / services
I've used in the past. My request was always the same; a dump of my data,
removal of my account and confirmation that my account was removed. To
nobody's surprise, I never received a response to any of these requests.

~~~
WrtCdEvrydy
It might be a little easier now, tell them you're a EU resident... and they
have to by GDPR....

~~~
woutr_be
I don't reside in the EU, but I'm a EU citizen. I've quoted GDPR in those
emails, but they don't seem to care. My best guess is that they don't even
check the email accounts.

~~~
WrtCdEvrydy
Next time, use the topic "Looking for your DPO for a GDPR concern"... trust
me, someone will read that....

------
nwcs
One major factor that may be contributing to this: Instacart doesn't offer
2-factor authentication (2FA)

------
bsenftner
Online shopping carts are a nightmare of reliability. I've pretty much
abandoned my trust of them. I even spent time a few years ago contributing to
the Ubercart code base. Something is very fishy in the manner in which
financial transactions are handled, as if losses and fraud are expected and
baked in.

------
silver70
I had stopped using them because they always overcharged. I contacted them and
got an automated "we'll look into it" then never heard from them again. After
reading the report of whatever has happened I tried to change my password. It
wouldn't process it. So what now. Cancel the credit card? But other personal
information still possibly compromised...

------
silver70
I stopped using them because they constantly overcharged and I could get -0-
response. We'll look into it and that is the end. After seeing the report I
tried to change my password and it wouldn't let me. So what do we do? Cancel
the credit card on it? That still leaves personal info out there.

------
on_and_off
fwiw instacart says it is credential stuffing :
[https://news.instacart.com/a-security-update-from-
instacart-...](https://news.instacart.com/a-security-update-from-
instacart-89beb7bf5121?gi=b582efd6d23c)

------
BlackjackCF
Well, this certainly explains why I keep getting notified by Instacart that
someone is failing to log into my account. I'm deleting that garbage now.

------
namidark
Anecdotally, both credit cards I used on Instacart got popped for fraud right
after each other in the past week.

------
anaphor
Does instacart actually store credit card numbers, or just tokens? Why would
they need to store the last 4 digits?

~~~
on_and_off
I doubt they store credit card data (who does that ?). Last 4 digits would be
to display "Your Visa -5555" in a payment method picker

~~~
anaphor
Yeah, I just use google pay with them, which shows nothing, so there's nothing
for would-be identity thieves to steal except my name and address hopefully.

~~~
on_and_off
it seems to be credential stuffing anyway, so unless you use the same password
for every website (unfortunately lots of people do), you should be safe.

------
pstrateman
Isn't this their business model?

/s (kind of)

~~~
andykx
Jokes aside, I thought this was going to be about them selling this
information, not a hack.

------
amznthrwaway
Well, this also explains why my instacart account got locked the other day for
having too many failed attempts to access it.

------
Program_Install
This is very disheartening, I used instacart quite bit during my time onsite
in NYC for a contract. I don't know why these companies have an initial
reaction of denying anything happened, when in the end all will find out
anyway. More egg on the face, just own it and work to be better.

------
niftylettuce
If you're in NYC, Brooklyn, Long Island, or nearby areas, check out our farm-
fresh online grocery service, OurHarvest @
[https://ourharvest.com/?coupon=HACKERNEWS](https://ourharvest.com/?coupon=HACKERNEWS).

Use coupon code HACKERNEWS for 25% off your first order. We have a contactless
delivery option at checkout if needed.

P.S. I'm the CTO and Co-Founder, if you need anything or have questions, email
nick@ourharvest.com, or check out my GitHub at
[https://github.com/niftylettuce](https://github.com/niftylettuce)

