Instacart insists it's probably your fault if your account got hacked

Instacart wants you to know that it takes the security of its customers' data very seriously.

With that in mind, the grocery-delivery dispatcher announced Thursday that if your account data is among the scores reportedly being sold on the dark web. then it's probably your fault.

According to the late afternoon blog post, a number of Instacart customers likely fell victim to what is known as credential stuffing. In no way, Instacart insists, was its platform "compromised or breached."

For the blissfully unaware, credential stuffing is a form of hacking that relies on victims reusing the same password across multiple online accounts (which people tend to do). So, if hackers manage to get ahold of emails and passwords from one service — like, possibly, TicketFly — they can then try those combinations en masse on a host of other platforms.

That, Instacart claims, is what it believes happened to its customers.

This Tweet is currently unavailable. It might be loading or has been removed.

"In this instance, it appears that third-party bad actors were able to use usernames and passwords that were compromised in previous data breaches of other websites and apps to login to some Instacart accounts," reads the blog post. "In some instances, this would have given the third party bad-actors access to basic customer account information such as first name, address, last order, total order number, and in some cases, the last four digits of a customer's credit card."

Of course, if Instacart offered two-factor authentication (and people used it) then this entire mess could have been avoided. As far as we can tell, Instacart does not offer this standard security feature. Its help page makes no mention of it, for starters. We also created an account, and attempted to enable the feature to no avail.

We reached out to the company for comment and to confirm that it does not offer 2FA, but received no immediate response.

Instacart doesn't get into specifics about how many customers were affected (we also asked that when we reached out to the company), but thankfully a Wednesday report from BuzzFeed News does. According to the publication, "sellers in two dark web stores were offering information from what appeared to be 278,531 accounts, although some of those may be duplicates or not genuine."

SEE ALSO: Instacart will provide 'safety kits' to Shoppers, but still no hazard pay

That, if Instacart is to be believed, represents a lot of reused passwords.

Thankfully, however, its customers can rest easy knowing that the "security of [Instacart's] customers' accounts and data is a top priority," and that Instacart thinks this entire mess was probably their fault anyway.