Instacart may have offered Americans a way to stay safe during the pandemic by doing their grocery shopping online but now the grocery app may have put customers at risk after 278,531 accounts were found on sale in two dark web stores.

The information began making its way to the dark web stores in June and the sellers apparently were still uploading data this week as COVID-19 cases rose in the U.S.

“This is the most personal information – where someone lives, their buying habits, etc., and especially for people living alone, their information has been made public,” said Chloé Messdaghi, vice president of strategy, Point3 Security. “The most likely bet is that this is a phishing situation. The most important thing is to let customers know their data is out there and urge them to change passwords and monitor accounts. These are historic times and some bad actors are driven to these types of attacks by urgent financial need.”

So far, the sellers haven’t been identified, nor have their methods for obtaining the data, but Thomas Richards, principal security consultant at Synopsys, doesn’t believe that a phishing attack was used, since “it would take much more effort than the selling price would offer.”  Instead, credential stuffing could be the culprit.  I would recommend that Instacart investigate if there were a high number of failed login attempts on accounts which would indicate an attempt to password spray/stuff while also looking for login attempts from invalid users,” he said.

Richards points to Instacart’s weaknesses. The delivery app apparently lets customers use three possible methods of authentication – an Instacart account, Google and Facebook. “While Google and Facebook appear to have strong account password policies and protections, Instacart’s password policy only requires six characters,” said Richards. “This is below the industry standard and is considered a weak password policy.”

The size of the underlying breach “shows how vulnerable cloud data and infrastructure is if not properly managed,” said Paul Martini, CEO and co-founder of iboss. “This should call into question what cybersecurity decisions are being made while building and creating cloud services for consumers.”