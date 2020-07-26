Instacart online shopping service He says that the reused passwords are to blame for a recent series of account breaches, which saw the personal data of hundreds of thousands of Instacart customers stolen and put up for sale on the dark web.

The company released a statement Thursday night saying that its investigation showed Instacart “was neither compromised nor violated,” but noted the credential filler, where hackers take lists of username and passwords stolen from other violated sites. and brute force on other accounts.

“In this case, it appears that third-party bad actors were able to use usernames and passwords that were compromised in previous data breaches from other websites and applications to log in to some Instacart accounts,” the statement read.

The statement comes after BuzzFeed News reported that data from more than 270,000 user accounts was for sale on the dark web, including the account’s username, address, the last four digits of their credit card. and their order histories for this week. .

Instacart said the stolen data represents a fraction of Instacart’s “millions” of customers in the United States and Canada, a spokesperson told BuzzFeed News.

But who is really to blame here: the customers for reusing passwords or the company for not doing more to protect against password reuse?

Okay, it’s a bit of both. Any internet user must use a unique password on each website and install a password manager to remember them wherever they go. That means that if hackers take away one of your passwords, they cannot access all of your accounts. You should also enable two-factor authentication whenever possible to prevent hackers from entering your online accounts, even if they have your password. By sending a code to your phone, either by text message or an app, you add a second layer of protection for your online accounts.

But Instacart cannot put all the blame on its users. Instacart still doesn’t support two-factor authentication, which, if customers had enabled it, would have prevented hackers from starting. When we verified, there was no option to enable double factoring on an Instacart account, and it is not mentioned anywhere on the Instacart site that it supports the security feature.

Data released by Google last year shows that even the two most basic factors can prevent the vast majority of automatic credential stuffing attacks.

We asked the company if it plans to release two factors to its users. When it arrived, Instacart spokesman Lyndsey Grubbs had no comment on the record beyond pointing to Instacart’s already released statement.

Instacart claims that security is a “top priority” and that it has a “dedicated security team, as well as multiple layers of security measures, focused on protecting the integrity of all customer accounts and data.”

But without giving users basic security features as two factors, Instacart users can barely protect their own accounts, let alone expect Instacart to do it for them.