Online shopping service Instacart says reused passwords are to blame for a recent spate of account breaches, which saw personal data belonging to hundreds of thousands of Instacart customers stolen and put up for sale on the dark web.
The company published a statement late on Thursday saying its investigation showed that Instacart “was not compromised or breached,” but pointed to credential stuffing, where hackers take lists of usernames and passwords stolen from other breached sites and brute-force their way into other accounts.
“In this instance, it appears that third-party bad actors were able to use usernames and passwords that were compromised in previous data breaches of other websites and apps to login to some Instacart accounts,” the statement reads.
The statement comes after BuzzFeed News reported that data on more than 270,000 user accounts was for sale on the dark web, including the account user’s name, address, the last four digits of their credit card, and their order histories from as recently as this week.
Instacart said that the stolen data represents a fraction of the “millions” of Instacart’s customers across the U.S. and Canada, a spokesperson told BuzzFeed News.
But who’s really to blame here: the customers for reusing passwords, or the company for not doing more to protect against password reuse?
Granted, it’s a bit of both. Any internet user should use a unique password on each website, and install a password manager to remember them for you wherever you go. That means if hackers make off with one of your passwords, they can’t break into all of your accounts. You should also enable two-factor authentication wherever possible to prevent hackers from breaking into your online accounts, even if they have your password. By sending a code to your phone — either by text message or an app — it adds a second layer of protection for your online accounts.
But Instacart cannot shift all the blame onto its users. Instacart still does not support two-factor authentication, which — if customers had enabled — would have prevented the account hacks to begin with. When we checked, there was no option to enable two-factor on an Instacart account, and no mention anywhere on Instacart’s site that it supports the security feature.
Data published by Google last year shows even the most basic two-factor can prevent the vast majority of automated credential stuffing attacks.
We asked the company if it plans to roll out two-factor to its users. When reached, Instacart spokesperson Lyndsey Grubbs would not comment on the record beyond pointing to Instacart’s already published statement.
Instacart claims security is a “top priority,” and that it has a “dedicated security team, as well as multiple layers of security measures, focused on protecting the integrity of all customer accounts and data.”
But without giving users basic security features like two-factor, Instacart users can barely protect their own accounts, let alone expect Instacart to do it for them.