Instacart discloses security incident caused by two contractors

Instacart says two employees at a third-party support vendor accessed "more shopper profiles than was necessary."
Written by Catalin Cimpanu, Contributor
Image: nrd (Unsplash), Instacart

Grocery delivery and pick-up service Instacart disclosed a security incident caused by two employees working for a company providing tech support services for Instacart shoppers.

According to a press release published today, Instacart says the two employees "may have reviewed more shopper profiles than was necessary in their roles as support agents."

The company is now notifying 2,180 shoppers via email about the incident. The figure represents the Instacart user profiles the company believes the two employees might have needlessly accessed while working as tech support agents.

Breach discovered following a routine audit

Instacart said it learned of the breach in procedure of the two support agents following a routine security audit.

The grocery delivery service said a subsequent forensic investigation did not find any evidence the two support agents had downloaded or digitally copied data from its systems.

Nonetheless, Instacart said that it took drastic measures when it came to dealing with the support agents and the company that hired them.

"First, we immediately worked with our third-party support vendor to ensure that their two employees will never work on behalf of Instacart again," Instacart said today.

"Second, we suspended work at this third-party support location and have since ceased local operations indefinitely."

Second security incident this year

This is the second security incident that Instacart had to deal with this summer. In July, hackers put up for sale the details of 278,531 Instacart accounts on a dark web marketplace.

The sold data included names, delivery addresses, the last four digits of credit card numbers, and order histories, according to Buzzfeed.

Instacart acknowledged the incident two days later, in a press release, and blamed it on a credential stuffing attack, accusing users of reusing passwords across online accounts.

Editorial standards