A Security Update From Instacart

We wanted to share an update for Instacart customers related to reports about a recent third-party security issue.

Internally, we’ve assembled a cross-functional team to promptly investigate this issue and provide an update to our customers. Our teams have been working around the clock to quickly determine the validity of reports related to site security and so far our investigation has shown that the Instacart platform was not compromised or breached.

Based on our team’s assessment, we believe that this is what is commonly referred to as credential stuffing — an activity that occurs across the web when a person uses the same login credentials across various websites and apps. If a user’s credentials are compromised on another website or app and their login information is shared across platforms, it makes it easier for third-party bad actors to access and utilize accounts connected to those compromised login credentials.

In this instance, it appears that third-party bad actors were able to use usernames and passwords that were compromised in previous data breaches of other websites and apps to login to some Instacart accounts. In some instances, this would have given the third party bad-actors access to basic customer account information such as first name, address, last order, total order number, and in some cases, the last four digits of a customer’s credit card. This information was not uniformly pulled for every impacted customer, and no credit card data was compromised as Instacart does not store full credit card information.

We are taking a number of steps to further support those impacted, as well as to ensure the continued security of our platform. We’re actively communicating to all affected customers, invalidating their previous password and advising them to reset their password as an extra security measure. As is standard practice, we advise all customers to select unique, strong passwords for their Instacart accounts that they do not use on any other apps or websites as an extra precaution.

We have a dedicated security team, as well as multiple layers of security measures, focused on protecting the integrity of all customer accounts and data. The security of our customers’ accounts and data is a top priority at Instacart, and we are committed to maintaining a safe and secure environment for all members of the Instacart community.