top of page
  • Admin

InstaCart Delivers Blame For Data Breach

Published: September 21, 2020 on our newsletter Security Fraud News & Alerts Newsletter.

Food delivery companies and their customers are feeling the heat of this latest data breach. This one involves InstaCart, one of the most prominent grocery delivery services available. However, InstaCart is far from the only delivery service to suffer a data breach in recent times, especially considering the massive influx of customers during the coronavirus pandemic. Just last year, DoorDash was hit by a breach affecting 4.9 million of its customers. Other data hacks happened to similar services. The difference this time being that InstaCart refused to acknowledge they’ve experienced a data breach at all. Instead, the company is blaming its customers for the breach that exposed the personally identifiable information (PII) of more than 270,000 users.

A defiant InstaCart chose a different path for addressing this breach, even after learning the customer PII for sale online included the names, addresses, and the last four digits on credit cards. The company released a statement saying, “In this instance, it appears that third-party bad actors were able to use usernames and passwords that were compromised in previous data breaches of other websites and apps to login to some InstaCart accounts.” In other words, InstaCart customers whose data was compromised were blamed for reusing passwords, which the company believes was key to the breach.

InstaCart has a valid point about password reuse, although laying direct blame on customers is debatable. Cybersecurity experts warn against reusing passwords in every case, especially after the password may have already been stolen in another breach. However, others point to negligence by InstaCart for failing to provide its customers with the most common log-in protection; two-factor authentication (2FA). Companies use 2FA as an added layer of identity verification for customer log in, helping assure the customer is whom they say they are and not a bad actor.

While the blame-game rails on, users of all online services, including those like InstaCart, are reminded that password reuse is a dangerous decision that should be avoided. Strong and unique passwords are always recommended for every account, and have a mix of upper and lowercase letters, numbers and symbols, and be at least 8 characters long. Don’t create passwords using PII such as birth dates and phone numbers. If you keep a list of your passwords, make sure it’s in a place only you know about. And that should not be on your computer. Poor passwords only make a hacker’s job easier, and no one wants that. Also, add 2FA to your log-in whenever it’s available as an added layer of identity protection. This means if InstaCart had made 2FA available, just maybe even those who did reuse passwords would not have been compromised. 2FA is easy to set up and it works. That’s a very good thing these days.

Want to schedule a conversation? Please email us at


bottom of page