I am not surprised. Recently I had an issue with Instacart when somehow one of my order was charged back. The Trust team at Instacart insisted that I pay up and refused to investigate their system, after I provided a lot of evidence of how their system is mixing up my account with somebody else’s and there is a bug in their integration with Costco. After more than a week of back and force they closed my account. I decided to reopen it by paying the charged back amount because without it I can shop at Costco. Guess what, after the account was reopened, the other transaction delivered to another person living in another state is still showing up in my account, including t heir other private information like cell phone numbers and CC digits. I decided it’s better to buy from amazon instead of costco with Instacart. It’s beyond me why their trust department refused to investigate their system with obvious evidence for bugs, and I don’t want to text the other person in my account to notify him that his private information has been compromised, because the communication with Instacart made me feel that I am guilty.
If you use Instacart to buy from Costco, be aware.
You need to publicly shame them on twitter. That is a massive breach likely happening to other users as well. HN has a decent audience but twitter has an enormous audience.
I thought about that but I am no influencer type. The communication with Instacart makes me feel that they suspect I have stolen somebody’s credit card to make the purchase, and after they reopened my account I can see that person’s cell number and address and such, and I don’t know an easy way to go public without showing the proof, which is another person’s private information.
No! They would comply, post an apology and continue the same way. You need to sue them for data breaches and endangering personal info. Of course legislation has to come up for stuff like this. Best day for that would be yesterday.
Yea like all social media platforms these days you usually have to pay in one way or a not to promote a hash tag. I bet most of the popular hash tags you know of were sponsored at some point.
It's gotta be something simpler than that. Perhaps there's a database rollback and now they have mismatched ID somewhere. Or perhaps the caching scheme wasn't thought out thoroughly and the caches got delivered to the wrong person. There's literally a million ways things could go wrong, and hash collision is the last thing I'll suspect.
Yep that's exactly what I told them that its mostly a hash collision when I was not willing to pay the chargeback unless they can explain why somebody else's number was on my account. That's why it makes me angry after I paid the chargeback and can still see another person's info in my account, that I realize they have all the information themselves already and they know the issue, they just refuse to fix it and acknowledge it. It's strange that they can see the mismatch information in my account all alone, but they only care about recovering the $80 chargeback, while I have already made another $1000 purchase from Costco. I think it may be a better approach to escalade to costco.
I know people on here might have GDPR fatigue, but in Europe you'd have a massive stick to incentivize them to make it right. This is exactly why regulation such as this is needed.
We shouldn't have to depend on publicity and shame to force a company to be careful with our data, we should have a neutral agency that investigates every report equally and is able to hand out fines for those companies that don't take our privacy seriously.
You may underestimate how much of shit companies care. T-Mobile Netherlands have been sending me plenty of private information about one of their customers for months (their customer signed up using a.person@gmail.com as their email address, I've held the aperson@gmail.com account since 2006, hence I receive the emails).
I've tried escalating this with them multiple times, each time they insist that I won't receive any more emails, until the next one arrives. I also tried threatening them with taking it up with whichever authority is relevant if they don't fix it and reminded them about the 20m Euro or 4% of global turnover fine they could incur, yet still keep receiving this poor saps information.
In case you haven't already tried, I would contact their legal department. I would expect them to be far more invested and effective in fixing these breaches than anybody in the phone-based customer support chain.
Although it's about a different subject matter, I'm reminded of this quote from a patio11 article:
> [A bank's] CS department is scored on number of tickets resolved per hour, and each rep’s incentives are simply to classify you as something requiring no followup and get you off the phone. [...] The legal department (or an analogous group – it is different at every bank) is not scored on cases resolved per week. They are scored on regulatory incidents per quarter, and their target for success is likely zero. Shockingly senior people will be involved to avert regulatory incidents.
I'm not sure that's a violation of GDPR. If person A has accidentally authorised their personal correspondence to be sent to person B they are pretty culpable for the consequence. Good systems require you to verify your email address, but I'm not sure there's a legal requirement to enforce that.
Regardless, it's a very different problem to a bug introduced by the company that leaks customer information.
I think the initial communication is obviously not the fault of the company, but as soon as they are aware and refuse to put right the situation, I think they are very much at fault.
Exactly, honest mistakes can, and do, happen. The cause should be investigated and if minor, logged on a register; if serious, it must be reported to the regulator.
GDPR has a requirement that data be accurate (Article 5, section 1 d). This is applicable in practice because of the Right to Rectification, Article 16.
The initial issue is probably not a violation of GDPR, and not a reportable data breach. However, not fixing the issue after it was brought to their attention is more likely to be a violation.
It's definitely a GDPR breach, but it may not necessarily be reportable to the data regulator. Imho it should definitely be reported to the data protection officer first before going to the regulator. Most frontline staff have no idea how to handle GDPR queries or issues, but it's the designated data protection officer's role to be responsible.
I was at a friends place in a nearby town and got an order from Fry's (grocery store) where the guy charged me for 5 things he didn't deliver (about $30). I made a complaint (1* review, support ticket) and changed his tip to $0.01 because I couldn't set it to 0.
The next day I had 6 charges from 2 Fry's in the area of where I was the day before, totalling about $550 at stores I had never been to (and did not appear as instacart charges like they normally would). My bank gave me a fraud warning when they tried to use an atm. I still had the card in my possession. I reported it to Instacart and never got a response. My bank was able to reverse the charges as fraud though, fortunately.
So I don't know how, but at least 1 rogue instacart delivery people was able to get my atm card information and misuse it. If not, the coincidence that accounts for all the evidence is astronomical.
Had InstaCart this week charged my card in error. I told them, then they spent the whole week heckling me about card information, etc, claiming they couldn't find the charge, getting auto replies etc. Yesterday I just called my bank and filed a dispute. Problem solved. Instacart Cancelled.
You may be just the opposite of the issue I have with instacart. If so, I don't think the problem is solved. Instead, Instacart is probably displaying your private information to another person (who your card was charged for).
I keep a pre-paid credit card that i will occasionally refill for stuff like this. I keep my actual banking 2-3 steps away from anything online.
All charges go through a credit/charge card (usually amex).
If im particularly skeptical or its a company that requires card info for something that shouldnt (like some intro/free trial) i just use a prepaid card with a minimal amount im willing to lose.
Wow, thanks for sharing this. I’m going to close my Instacart account now. I haven’t used it in a while but I don’t want my data sitting on a platform that doesn’t care about security
Just tangentially related but recently I tried to buy something from an online store called Adorama and when I tried to place an order I got the notification of the charge from my bank after clicking the order button but the page didn't do anything, initially I though "well lets just get in touch with customer support, pretty sure they can see the charge and let me know what happen with it" oh boy was I wrong, their customer support only has access to orders not transactions, so when a bug in their website charged me without creating an order there is nothing they can do at all; all they did is recommend me to ask my bank to do a chargeback, but my bank says I need to wait 30 days after the transaction to so. So yeah, my lesson was the same, I should have had stick with Amazon because smaller stores just can't be trusted with handling purchases correctly.
Online camera stores and places that sell $2500+ small, valuable, easily resold electronics are one of the #1 targets for credit card/identity fraud. It's likely that whatever you ran into is an unintended side effect of either Adorama's anti-fraud system, the anti-fraud system of their payment processor or your bank.
Adorama is a legit store, they've been around for 25+ years.
Why can't you go shopping yourself? I am genuinely curious, not being sarcastic. Costco is typically stuff that you buy once a month if that; can you not even spare an hour or two once a month to go shopping?
That was in May, shopping at Costco means waiting in line outside for a couple of hours. We are also a high risk household. Costco was the only shop that does grocery delivery at the time (amazon fresh was totally not available then). It’s an easy decision between shopping at store, or online and have them delivered the next day. We are using the Costco website, so I think maybe the bug is in their integration.
I actually never used the Instacart app and I can care less. I do care about the Costco next day grocery delivery service, which has a transparent integration with Instacart. That is, I order on Costco.com and Instacart will deliver it next day. Costco won’t allow me to chose other vendors for delivery.
If you use Instacart app to order items from Costco the price is actually different. I guess using Costco.com I have my membership benefit.
Sorry for the confusion. What I meant is that I have never made a purchase from instacart app or from instacart.com website. Instead, I am placing online orders in costco app (and sometimes with a browser on costco.com) for grocery. Instarcart is a vendor for costco's grocery delivery. When I say I don't care about instacart, I meant I am a customer of costco for this order journey, not a customer to instacart.
When did Costco have lines outside? I’ve been to several Costco’s during the pandemic and never waited at a single one. The worst that happened was toilet paper being out.
It impressed me why people still think that their anecdata somehow applies to the world. Your personal experience has nothing to do with the experience of the previous shopper and there is no reason why you should doubt them for such a mondane thing.
Or you could just use Google and reads the dozens of results.
Someone even came up with an app in Toronto to track COVID lines at Costco
https://www.blogto.com/eat_drink/2020/04/costco-stores-toron...
It's weird to me that we're hearing about this from the press instead of Instacart. If a suspected data dump of Instacart user data made its way to the dark web, surely it wouldn't be difficult for Instacart to buy a subset of it and confirm or deny its validity.
If I was an Instacart customer, I'd feel a lot more comfortable with a preliminary "we're aware and looking into this" statement from Instacart directly as opposed to doing nothing and telling the press that they don't know anything.
When a data dump like this hits the dark web, are companies even legally obligated to look into it?
Instacart has not yet reported this breach to the California attorney general, like they're supposed to.[2] There's a long list of companies with data breaches there.
If it’s a leaked-passwords attack used to compromise an unknown number of accounts that had insecure passwords, is it possible for Instacart to prove a breach occurred to the degree necessary to trigger the notification requirement?
Is it even a breach at all, in that scenario? How is Instacart at fault?
Is it necessary to integrate with haveibeenpwned to avoid having to publish a new breach notification every day that at least X accounts with an insecure password are accessed without consent? Is this requirement codified in law, or must each business discover it the hard way?
More paranoid sites may ask when they notice unexpected login sources from geolocation not matching up. I have had that a few times with imprecise addresses and getting warnings from gmail about a DC login attempt while attempting a login from another location.
Not certain about what is legally expected however.
Keep in mind that developers hear a user needs to be notified in “the most expedient time possible” and think minutes or hours but the lawyers read that and are thinking days or potentially even weeks in some circumstances. Just because Instacart hasn’t notified anyone yet doesn’t mean they won’t or that they’ve failed to comply with the obligation.
Then the law sounds ineffective to me. There are security researchers featured in this article saying that this dump looks legit, and Instacart still gets to pretend like everything is normal? User data could wind up sitting on the dark web for weeks before Instacart finally gets around to notifying them of the breach.
Tools like haveibeenpwned typically rely on companies' cooperation to report breaches since "data breach" is a legal term. But since Instacart still hasn't reported this, do the security tools get updated in a timely way, or are there millions of credit cards and passwords sitting up for sale while lawyers figure out how to handle the legal side of this?
For some background on how legal it is to obtain (your own) data dumps, Leonard Bailey (US DOJ) did a great talk at RSA Conference 2020 (I attended this talk in person) on "Human Dimensions of Active Defense":
This assumes there was a hack. If there wasn't, then there's nothing they can really do. They couldn't have reached out to customers before, they can't say they're looking into it (because there's nothing to look into), etc.
It feels to me that a few people got phished, and their accounts are being sold as proof. The rest could just be fake.
(Or, there was a hack, and Instacart handled it badly!)
I would think that Instacart buying data obtained allegedly illegally -- even though it's allegedly their own data -- is likely a legal minefield.
In fact, my understanding is that generally buying a known ill-gotten item is illegal even in meatspace. Does it having originally been yours change that?
Lots of relatively large companies have whole lines of business based on buying dark web account dumps, and, last time I looked into it, the conclusion I reached (I'm not a lawyer, just someone who nerds out on this stuff) is that you're legally safe buying with the intention of recovering your own stolen data. You're probably crim-law safe regardless of whose data you're acquiring, as long as you're not a party to or have any kind of durable relationship with the people stealing the data.
Experian's lawyers were apparently comfortable enough with this line of work to buy a company that does it outright (CSID).
It was interesting because I'd worked at a startup, which used data from the people CSID had hired and that startup was acquired by Experian. At the startup we'd concluded this work was toxic and it'd be crazy to touch the company, we ensured the arrangement was completely at arm's length yet less than ten years later a huge public company felt it was OK to just buy the whole thing and swallow it.
I used to deal with this sort of stolen data (wow, it seems like a long time ago now). A big pile arrived every single morning before dawn.
At this scale you'd expect to find clear evidence it was Instacart users e.g. an account with email address dave+instacart@davesdomain.example. If there's nothing like that in the data then it's immediately suspicious, a small site might just not have any users with such breadcrumb trails in their email but a big dump like this should statistically have something because there are lots of people (including me) using a breadcrumb for every account.
This is how I know for sure that one of the banks I used years ago lost all their customer email/ name data even though they denied this at the time when it was news. I get scam emails to the address I gave them even now.
You'd also expect a company that cares about its users data to have plausible looking "watermark" accounts that trip alarms and so they'd be able to confirm this is their data. Even, if they did a proper job, what the source was (e.g. if you send a subset of data to a partner organisation you can add more watermark data and that lets you know if the data is stolen from that partner)
1. Crooks are lazy. Actually humans are lazy and crooks are human, but even more so criminal activity doesn't tend to come with any quality control. Even obvious data cleanup like fixing escaping often isn't done, because there's no incentive.
2. Breadcrumbs tend to be obvious to a human but a variety of schemes might be employed which means automation to strip them would need to be relatively sophisticated or it'll miss many of them. I used to use breadcrumbs of the form emanniamodXX@my-breadcrumb-domain.vanity.example where XX is two digits signifying when I updated this email address, like maybe 14 means May/June 2009. A human can stare at that address, see it says domainname backwards and realise it's a breadcrumb. But a trivial regex match will miss it.
"The company denied there had been a breach of its data."
This is about as serious a breach as it gets. To have (or claim) zero knowledge of it is pretty bad.
If the details of the story are correct, it would imply the attackers had full database access. I would not be surprised to learn the attack vector was gaining a privileged user's credentials, similar to the Twitter hack.
It is possible that they phished a few users (or used account details from another leak) and the rest of the data is BS.
I don't think they're claiming zero knowledge. They're doing the exact opposite: they're saying they have complete knowledge, and that it simply didn't happen. I hope, for their sake, that they are correct.
Anecdotal: Got hit with a password lock on a pretty unused Instacart account ~7 days ago (Jul 15).
Possibly a password leak from another site resulting in a targeted large-scale account access to download customer data from a leaky API? (Baseless commentary.)
Interesting! I get random password resets for Facebook, Instagram and some others... Probably some hackers using a script...
Then if people do that, wonder if they also try to signup people? That would explain things maybe... Like some sites don't verify emails for signups, had someone sign me up for Spotify on an email of mine, when I don't have an account using that email. Never verified the email but got login notification emails... I reset the password and deleted the account.
Then I get emails saying they are from Anna at Netflix wants to chat with me "If you’d like to chat before you start your subscription"... Idk if they like typed in my email and never finished signing up or what but creepy... I have heard some sites log uncompleted signups even if you never clicked submit.
Kinda makes me wonder if these people selling breach data sets would sign people up too then if it's a email someone used elsewhere, to bulk up the numbers of users in their so called breach by adding newly created accounts, along with valid email/passwords harvested from other breaches. Then probably an inflated number would make their dataset be worth more money to people trading the datasets on the dark web I'd guess.
Exact same thing happened to me a few weeks earlier - July 2nd. Said my account was locked due to too many unsuccessful login attempts. I hadn’t used Instacart in years. Reminds me to delete unused accounts!
I had a similar thing happen last week with DoorDash, after the first two I contacted their privacy@ address and requested an account deletion via CCPA.
Not necessarily - if you catch it on unsuccessful login attempts and have no evidence they got into the account, it's likely they moved onto the next email address in their list and you can still go in and delete the account pre-compromise.
Back in March I started getting Instacart support emails for "Jocelyn Joans" concerning Redwood City Safeway (not nearby). Instacart.com produced an error when I tried to log in or reset my password. Since my email is unique for Instacart, I hadn't used Instacart in 5 years, and I did not have any Instacart correspondence in my email, there's very likely only one way someone could have accessed my account.
I sent an email to legal@ demanding my account be removed and to follow up that it had been done. The support emails stopped but I never heard from Instacart.
> I sent an email to legal@ demanding my account be removed and to follow up that it had been done. The support emails stopped but I never heard from Instacart after that.
I must've send close to 50 of these emails to different companies / services I've used in the past. My request was always the same; a dump of my data, removal of my account and confirmation that my account was removed.
To nobody's surprise, I never received a response to any of these requests.
I don't reside in the EU, but I'm a EU citizen. I've quoted GDPR in those emails, but they don't seem to care. My best guess is that they don't even check the email accounts.
Online shopping carts are a nightmare of reliability. I've pretty much abandoned my trust of them. I even spent time a few years ago contributing to the Ubercart code base. Something is very fishy in the manner in which financial transactions are handled, as if losses and fraud are expected and baked in.
I had stopped using them because they always overcharged. I contacted them and got an automated "we'll look into it" then never heard from them again. After reading the report of whatever has happened I tried to change my password. It wouldn't process it. So what now. Cancel the credit card? But other personal information still possibly compromised...
I stopped using them because they constantly overcharged and I could get -0- response. We'll look into it and that is the end. After seeing the report I tried to change my password and it wouldn't let me. So what do we do? Cancel the credit card on it? That still leaves personal info out there.
Yeah, I just use google pay with them, which shows nothing, so there's nothing for would-be identity thieves to steal except my name and address hopefully.
it seems to be credential stuffing anyway, so unless you use the same password for every website (unfortunately lots of people do), you should be safe.
This is very disheartening, I used instacart quite bit during my time onsite in NYC for a contract. I don't know why these companies have an initial reaction of denying anything happened, when in the end all will find out anyway. More egg on the face, just own it and work to be better.
Use coupon code HACKERNEWS for 25% off your first order. We have a contactless delivery option at checkout if needed.
P.S. I'm the CTO and Co-Founder, if you need anything or have questions, email nick@ourharvest.com, or check out my GitHub at https://github.com/niftylettuce
If you use Instacart to buy from Costco, be aware.