Cyber Incident Victim: Instacart

Instacart disclosed a security incident on August 20, 2020, involving unauthorized access to shopper data by two third-party support agents. The company identified the breach during a routine review of support protocols, prompting an immediate investigation with forensic analysts. The agents, employed by an unnamed vendor, accessed more shopper profiles than required for their support roles. Investigators confirmed the exposed information included names, email addresses, telephone numbers, driver's license numbers, and thumbnail images of licenses for 2,180 shoppers. Instacart stated no evidence indicated data was stored, downloaded, or digitally copied during the access period. The company emphasized no customer profiles or information were compromised beyond the specified shopper group. Affected individuals received direct notifications and were offered two years of free credit monitoring as a precautionary measure despite the absence of confirmed data exfiltration.

Instacart implemented enhanced security controls following the investigation, including new shopper ID verification processes and secure login requirements. Additional measures involved automatic logout functionality and restrictions on device switching to limit unauthorized account access. The company also announced plans to launch a dedicated customer support service for security-related inquiries and potential personal information compromises. This incident occurred shortly after Instacart addressed a separate credential stuffing attack in July 2020, where 278,531 user accounts were listed for sale on dark web forums. Forensic reviews focused exclusively on the third-party agents' activities without expanding the impacted shopper count beyond the initially identified 2,180 individuals. The company maintained that all remedial actions were applied proactively despite finding no evidence of persistent data compromise.