On Wednesday, Buzzfeed News reported that the personal data of Instacart customers -- including the last four digits of credit card numbers, names and order histories -- was being sold on the dark web.
Hundreds of thousands of customers could be affected, according to Buzzfeed. Reportedly, some of the data being sold was stolen as recently as Wednesday.
“We take data protection & privacy very seriously and our investigation so far has shown that the Instacart platform was not compromised or breached,” Instacart tweeted. “Based on our team’s assessment, we believe this is the result of credential stuffing - a technique used by 3rd party bad actors similar to phishing, and occurs when a person uses similar login credentials across various websites and apps.”
“We are reaching out to individual customers to auto-force a password update to those customers that may have been affected by third party credential-stuffing,” Instacart added. “If customers are concerned and want to take their own action out of an abundance of caution, we recommend that customers change their Instacart password in their account settings to a unique password that they do not use on any other apps or website accounts.”
Instacart did not immediately respond to FOX Business for comment, but a company spokesperson told Buzzfeed it was “not aware of any data breach.”
“We take data protection and privacy very seriously," the spokesperson told the website. "Outside of the Instacart platform, attackers may target individuals using phishing or credential stuffing techniques.”
“In instances where we believe a customer’s account may have been compromised through an external phishing scam outside of the Instacart platform or other action, we proactively communicate to our customers to auto-force them to update their password,” the spokesperson added.
According to Buzzfeed, 278,531 accounts appeared to be listed “in two dark web stores,” but some of that information could have been duplicated or false.
Cybersecurity expert Nick Espinosa, the head of Security Fanatics, told Buzzfeed the data appeared “recent and totally legit.”
Buzzfeed also spoke with two women whose information was listed in the “stores.” They confirmed they are Instacart customers and that the information posted was accurate.