[BreachExchange] Instacart blames reused passwords for account hacks, but customers are still without basic two-factor security

Mon Jul 27 10:19:29 EDT 2020

https://techcrunch.com/2020/07/24/instacart-data-theft-two-factor/?guccounter

Online shopping service Instacart  says reused passwords are to blame
for a recent spate of account breaches, which saw personal data
belonging to hundreds of thousands of Instacart customers stolen and
put up for sale on the dark web.

The company published a statement late on Thursday saying its
investigation showed that Instacart “was not compromised or breached,”
but pointed to credential stuffing, where hackers take lists of
usernames and passwords stolen from other breached sites and
brute-force their way into other accounts.

“In this instance, it appears that third-party bad actors were able to
use usernames and passwords that were compromised in previous data
breaches of other websites and apps to login to some Instacart
accounts,” the statement reads.

The statement comes after BuzzFeed News reported that data on more
than 270,000 user accounts was for sale on the dark web, including the
account user’s name, address, the last four digits of their credit
card, and their order histories from as recently as this week.

Instacart said that the stolen data represents a fraction of the
“millions” of Instacart’s customers across the U.S. and Canada, a
spokesperson told BuzzFeed News.

But who’s really to blame here: the customers for reusing passwords,
or the company for not doing more to protect against password reuse?

Granted, it’s a bit of both. Any internet user should use a unique
password on each website, and install a password manager to remember
them for you wherever you go. That means if hackers make off with one
of your passwords, they can’t break into all of your accounts. You
should also enable two-factor authentication wherever possible to
prevent hackers from breaking into your online accounts, even if they
have your password. By sending a code to your phone — either by text
message or an app — it adds a second layer of protection for your
online accounts.

But Instacart cannot shift all the blame onto its users. Instacart
still does not support two-factor authentication, which — if customers
had enabled — would have prevented the account hacks to begin with.
When we checked, there was no option to enable two-factor on an
Instacart account, and no mention anywhere on Instacart’s site that it
supports the security feature.

Data published by Google last year shows even the most basic
two-factor can prevent the vast majority of automated credential
stuffing attacks.

We asked the company if it plans to roll out two-factor to its users.
When reached, Instacart spokesperson Lyndsey Grubbs would not comment
on the record beyond pointing to Instacart’s already published
statement.

Instacart claims security is a “top priority,” and that it has a
“dedicated security team, as well as multiple layers of security
measures, focused on protecting the integrity of all customer accounts
and data.”

But without giving users basic security features like two-factor,
Instacart users can barely protect their own accounts, let alone
expect Instacart to do it for them.