7,500 Instacart and Target Gig Workers Hacked in $30 Million Fraud
A shocking case of mass hacking has been uncovered, involving over 7,500 gig workers at Instacart and Shipt who were targeted by a group of eight men. The hackers made off with as much as $30 million, leaving both companies to pick up the pieces and reassess their security measures.
The FBI has accused the eight men of working together to acquire a stolen list of Instacart and Shipt shoppers from 2022 onwards. To gain access to these accounts, the defendants posed as Instacart and Shipt employees, contacting the shoppers with phishing emails or messages asking them to share a one-time passcode.
The scammers used this access to execute a sophisticated gift-card fraud scheme. They would submit orders through Instacart and Shipt, which they then accepted via their stolen shopper accounts. Once funds were available on their debit cards, the defendants bought gift cards instead of the requested items. They would then cancel the order and use the gift cards to buy online or acquire cryptocurrency, often exchanging it for cash.
The FBI alleged that the defendants used various tactics to gain access to additional active shopper accounts. These included submitting orders, contacting shoppers on the app, asking to arrange a call to add items to their shop. They would then pretend to be Instacart or Shipt staff, again asking for the one-time passcode under the pretense of a customer complaint.
Mid-2023, Target had noticed that some of its Shipt accounts were being used to buy gift cards instead of ordered items, which is against their terms of use. Surveillance footage showed the defendants purchasing gift cards using their Shipt accounts, along with relevant phishing texts and video footage.
Meanwhile, an undercover FBI agent contacted one of the alleged scammers on Telegram, where the suspect disclosed the nature of the scheme. The agent shared that the list of inactive drivers from the platform was being sold to hackers who could then gain access to their accounts by calling them.
The Impact on Instacart and Shipt
Instacart reported a loss of just over $16 million as a result of the fraud carried out over 5,500 compromised shopper accounts. Shipt lost $14.3 million, with 2,215 accounts hacked.
Both companies have assured customers that they take their security seriously and are working to prevent such incidents in the future. Instacart has been adding new layers of security, including "biometric screening" where workers are asked to provide a selfie that matches their government-issued driver’s license.
A Rare Case Highlighting Gig Worker Vulnerability
This case highlights the vulnerability of gig workers to hacking on a large scale. It is a rare incident showing how tech companies can be targeted in such a way, emphasizing the need for improved security measures to protect their employees.
"There's people who sell lists of inactive drivers from their platform. You call them and get access to their account," one of the suspects wrote on Telegram, according to the warrant. This shocking revelation underscores the complexity of the scheme and the sophistication of the hackers involved.