Hundreds of thousands of Instacart customers’ personal data is currently being sold for as little as $2 per account on the dark web.
The data, which includes the last four digits of credit card numbers, names and order histories, was available for sale for just $2 per account on two stores on the dark web as recently as yesterday.
The site, which BuzzFeed News chose not to disclose, was advertising the data of 278,531 accounts, but admitted many may have been faulty.
The most recent upload of an Instacart customer data to one of the websites was 22 July, and there were continuous updates throughout June and July.
In the feedback for one of the sales, seen by DailyMail.com, one customer said: ‘Thanks man looking forward to the free stuff :).’
Another said: ‘Great overall experience highly recommended.’
Pictured: File photo of someone using the Instacart app. Hundreds of thousands of Instacart customers’ personal data is currently being sold online
Other comments said the vendor had not fulfilled the order and that they didn’t receive the information.
An Instacart spokesman told BuzzFeed they were ‘unaware’ of a breach on their data.
‘We are not aware of any data breach at this time. We take data protection and privacy very seriously,’ they said.
Instead, the spokesman suggested the attackers may have procured the information using ‘phishing’ or other forms of cyberattack.
‘In instances where we believe a customer’s account may have been compromised through an external phishing scam outside of the Instacart platform or other action, we proactively communicate to our customers to auto-force them to update their password,’ they added.
The sites used were on the dark web, but BuzzFeed has chosen not to name them.
Pictured: File photo of a home delivery. An Instacart spokesman told BuzzFeed they were ‘unaware’ of a breach on their data
Cybersecurity expert Security Fanatics confirmed the advertisement looked legitimate and believed it had been posted recently.
Two women whose information was part of the illegal online package were Hannah Chester and another who preferred only to be known as Mary M.
‘I don’t really know what to say. It’s hard to know what to say, not knowing if it’s a result of [Instacart’s] negligence,’ Hannah Chester told BuzzFeed News. ‘But if they’re aware that this happened and haven’t informed us, that’s problematic.’
Mary reiterated her disappointment that Instacart had failed to make its customers aware of the attack and that she had to find out through journalists.