What happened in the Instacart hack?
Instacart is an American company that arranges grocery delivery and pick up in the United States and Canada. Much like other personal shopping/delivery services, Instacart requires users to create user accounts with them that store user credentials and payment info.
A recent data leak revealed that around 278,531 accounts were breached, and their information was sold on the dark web by 2 stores. The leaked data consisted of a user’s order history, names and the last 4 digits of their credit cards. While the authenticity of the data is still questionable as there is a possibility of data duplication, Nick Espinosa who is the head of the Cyber security firm ‘Fanatics’ understands that this is a genuine data breach.
In a tweet by the official Instacart twitter handle, they mentioned that the busines was subjected to credential stuffing which was carried out by a 3rd party bad actor.
Credential stuffing is when bad actors use a collection of user credentials and literally “stuff” them into the login page to compromise an application and its users.
This could be happening to your online shopping store
Initially, there was no response from Instacart regarding the breach which makes you wonder if they were aware of such a breach? And if they were; why wasn’t the public informed about this BEFORE the data ended up on the dark web?
Speaking to Buzzfeed, a spokesperson for Instacart stated that the company was not aware of a breach at the time and that they take data protection and privacy seriously.
While that may be the case, the fact that the company was unaware of the breach raises a red flag. If bad actors can exploit vulnerabilities in a particular service undetected, how can you guarantee that the same is not happening to your business?
How to stop your eCommerce store from being hacked
To prevent similar breaches at your eCommerce business, it is crucial that you understand the necessary practices that would reinforce the security of your business.
Let us look at a few steps you could take to minimize cyber threats:
- Conduct regular cyber risk assessments using highly recommmended vulnerability scanning tools like Cyber Chief.
- Train and educate staff on the importance of security practices both physical and digital.
- Form and train an incident response team to mitigate damages from potential attacks.
- Improve endpoint authentication validation.
- Be especially careful if your store has a mobile app and regularly conduct Android and iOS app penetration tests to ensure that you find security holes in your app before hackers find them.
- Encourage users to use strong passwords by programmatically prohibiting the use of weak or common passwords.
- Get an ecommerce store penetration test done for your store at least annually.
Before you begin securing your eCommerce application
It's important to understand that implementing only one or two strategies is not going to yield positive results. You will have to experiment and see what works best for your site, but be consistent in your efforts.
If you are new to ecommerce store security practices, then partnering with knowledable and practical experts will help you implement the right security controls faster and for cheaper than contracting a vendor to conduct full-blown penetration testing services.
Otherwise, it will be just a waste of your time and resources. If you need help with cyber security aspects of your ecommerce store, reach out to our friendly team who also speak your language.