Data Breach: Instacart Shoppers Warned of Security Incident after Third-Party Contractors ‘Review’ Too Many User Profiles


Us-based grocery delivery and pick-up service, Instacart, has recently disclosed a security incident that involved the unauthorized access of customer information by two support agents from a third-party vendor retained by the company.

Instacart claims that it discovered the breach during a review of support protocols and that it immediately opened an investigation alongside a forensic analysis team.

“As part of our ongoing review of support protocols, we’ve determined that two employees retained by a third-party support vendor we work with may have reviewed more shopper profiles than was necessary in their roles as support agents”, Instacart said.

The final report of the investigation proved their suspicions, confirming that the two employees viewed “a limited set of shopper information that may have included name, email address, telephone number, driver’s license number, and a thumbnail image of the driver’s license.”

However, Instacart assures users that no customer data was stored, downloaded or copied during this unauthorized access, emphasizing that “no customer information or profiles were accessed or impacted in any way by this incident.”

It appears that only 2,180 shoppers were affected by the breach. The company also said that it officially notified potentially affected, and as a precaution, provided them with a complimentary two-year credit monitoring and protection service.

“While our investigation offered no indication that any shopper had their data stored, downloaded or digitally copied in any way, as an additional preventative measure, we’re offering two years of free credit monitoring and protection to all 2,180 shoppers whose information may have been viewed by these two individuals”, the company added.

Additional security measures have already been reinforced by the company, which introduced new authentication methods for platform users, including shopper ID verification, secure login, automatic logouts, and banned device switching.

On top of these protective measures, Instacart claims it is working on releasing a new customer support service for customers who believe that their personal information has been compromised or have any security-related questions.

This is not the first security incident reported by Instacart this year. Last month, the company disclosed a credential stuffing attack after 278,531 user accounts were put up for sale on a dark web forum.