Cyber Incident Victim: Instacart
Date:
Jul 2020
Location:
United States of America
Summary
A cybersecurity incident involving Instacart customers resulted from credential stuffing attacks, where attackers used previously compromised credentials from other breaches to gain unauthorized access to accounts. Personal data including names, addresses, the last four digits of credit cards, and recent order histories of over 270,000 users were stolen and offered for sale on the dark web. The company asserted its systems were not directly breached but attributed the compromise to customers reusing passwords across multiple services. Notably, the platform lacked two-factor authentication at the time of the incident, a security measure that could have mitigated the impact of such attacks despite the company's claims of prioritizing security through dedicated teams and layered defenses.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late July 2020, Instacart customers reported unauthorized access to their accounts, with personal data subsequently appearing for sale on dark web marketplaces. On July 24, 2020, Instacart publicly attributed these breaches to credential stuffing attacks rather than a direct compromise of their systems. The company stated that attackers used username and password combinations obtained from previous third-party data breaches to gain unauthorized access to Instacart accounts where customers had reused login credentials across multiple services. Analysis revealed that stolen data included customer names, delivery addresses, the last four digits of credit cards stored on accounts, and detailed order histories containing information from recent transactions. BuzzFeed News reported that records from over 270,000 compromised accounts were being actively traded, though Instacart characterized this figure as representing only a small fraction of their total user base across the United States and Canada.
The incident exposed significant security limitations in Instacart's account protection framework during this period. Despite credential stuffing being a well-documented attack vector, Instacart lacked basic two-factor authentication (2FA) capabilities that could have prevented unauthorized logins even with compromised passwords. Security researchers and journalists confirmed the absence of any 2FA implementation—either via SMS or authenticator apps—in Instacart's security options at the time of the breaches. The company's public response emphasized existing security investments, including a dedicated security team and unspecified "multiple layers of security measures," but declined to address inquiries about implementing two-factor authentication. This security gap persisted despite Google research indicating that basic 2FA implementations could block the majority of automated credential stuffing attempts. Customers affected by the breaches faced potential financial fraud risks due to exposed partial payment card details and privacy violations from the disclosure of detailed purchase histories and physical addresses.