Large-Scale ‘Instacart’ Hacks Pushing Gig Workers in Despair

Last updated June 23, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

There’s a wave of hacks targeting gig workers who rely on platforms like Instacart to make ends meet, and according to numerous reports that come from victims, there’s really no way to deal with them once they get you. Because the pandemic has created a boom for online shopping, grocery delivery and pickup services like Instacart have exploded, welcoming tens of thousands of new shoppers. These people have found a way out of the lock-down-induced unemployment, and they were happy to be able to support themselves and their families again.

Hackers though were quick to take note of this activity, as they always do, and launched various targeted phishing campaigns against these people. If these accounts were making money, they were valuable, and hackers are after anything that they can potentially exploit to divert money into their pockets. The hackers steal the users' data, take over their accounts, and drain their earnings, all by phishing security codes to log in and create shopping orders.

As many Instacart shoppers report, if you fall victim to this, the platform will sooner or later deactivate you. To make matters worse, most find it impossible to get their accounts back to normal status even if they follow the advised procedure and give all the proof they are asked for. Instacart just seems to rely solely on an algorithm that handles these flags, so if an account has a suspicious activity like logins from two remote locations, for example, it will be very hard to reinstate.

But Instacart isn’t the only space where crooks are engaging. Last week, Vice reported about an uptick in hacking attempts against gig workers of Shipt, Target’s delivery platform. A large number of reports from Shipt users mention the reception of password reset emails, indicative of account takeover attempts.

These emails were followed by calls over the phone, where scammers pretended to be Shipt employees needing to verify the user’s account. For this, they asked the code that was emailed to them, allegedly as a result of a centrally-controlled verification process. The scammers then added a credit card to the victim’s account and emptied the balance by transferring the entire paycheck into their pocket.

In all cases, the responsibility to protect these accounts burdens the gig workers themselves. Even in the case of Shipt, where the 2FA step is in place, it isn’t something that simple yet effective social engineering cannot possibly overcome. If you are making money online on Instacart, or any other platform, beware of scamming attempts and remain vigilant against phishing actors at all times.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: