7,500 Instacart And Target Gig Workers Hacked In $30 Million Fraud
Hackers posed as Instacart and Target Shipt employees to dupe shoppers into handing over login information for their accounts, the FBI found. (Photo by Jakub Porzycki/NurPhoto via Getty Images)
NurPhoto via Getty Images
Eight men have been accused of hacking into over 7,500 gig workers’ accounts at Instacart and Target-owned Shipt to defraud the companies of as much as $30 million, according to a search warrant and an indictment reviewed by Forbes.
It’s a rare case showing how gig workers are vulnerable to hacking at scale, which can be damaging for the tech companies who employ them.
In the court documents, filed earlier this month in Ohio and Michigan, the FBI claimed that from 2022 onwards the accused worked together to acquire a stolen list of Instacart and Shipt shoppers who were tasked with buying and delivering items to customers of the two apps. To get into accounts, the defendants posed as Instacart and Shipt employees, contacting the shoppers, some of which were inactive, to ask if they wanted to continue doing deliveries, according to the FBI’s account. The scammers asked the victims to share a one-time passcode to give them access to the account, purportedly to remove their account, reactivate it or to confirm their status as active.
But instead they allegedly used that access for a gift-card fraud scheme. The accused would submit orders over Instacart and Shipt, which they would then accept via their stolen shopper accounts, investigators said. Because user orders go to the nearest shoppers, it’s simple to engineer a task to go to a specific account. Once funds to cover the cost of the goods they were supposed to buy were available on their shopper debit cards, the defendants bought gift cards rather than the items requested, according to the FBI. Meanwhile, posing as the original customer, the swindlers cancelled the order to get a refund. Typically they used the gift cards to buy items online or acquire cryptocurrency, the government said; often, they’d exchange the crypto for cash.
“There’s people who sell lists of inactive drivers from their platform. You call them and get access to their account.”
According to the search warrant for one of the suspect’s properties, the defendants used another method to get into additional active shopper accounts: they put in an order, then contacted the shopper on the Instacart or Shipt app asking to arrange a call so they could add items to the shop. This gave them the gig worker’s phone number, which they later called pretending to be Instacart or Shipt staff, again asking for the one-time passcode for the account under the pretense that a customer had complained that their profile image didn’t match the person who made the delivery, investigators alleged.
By mid-2023, Target had noticed the Shipt accounts were being used to buy gift cards rather than the ordered items, which is against its terms of use. Later, the men were seen on surveillance cameras purchasing the cards using their Shipt accounts, according to the warrant, which included the relevant phishing texts and video footage.
The DOJ shared text conversations between the scammers and gig workers, showing how they tried to trick them into handing over one-time login codes.
Forbes screenshot of DOJ search warrant
Meanwhile, an undercover FBI agent contacted one of the alleged scammers on Telegram, where the suspect disclosed the nature of the scheme, according to the warrant. “There’s people who sell lists of inactive drivers from their platform. You call them and get access to their account. Afterwards you take the preloaded card and get gift cards,” the suspect wrote, per the warrant.
Lawyers for the defendants had not responded to requests for comment at the time of publication. Court dockets show the men have been charged with wire fraud but are yet to file a plea. The DOJ did not respond to a comment request.
The FBI said Instacart reported a loss of just over $16 million as a result of the fraud carried out over 5,500 compromised shopper accounts. Shipt lost $14.3 million and had 2,215 accounts hacked.
Shipt VP of communications Evangeline George confirmed the company had cooperated with police on the investigation. She said the privacy of Shipt’s members and staff is a priority.
Instacart said only a small number of its 600,000 shoppers’ accounts were compromised. “There was no breach of Instacart’s systems, and we quickly detected unauthorized activity and proactively engaged law enforcement,” said spokesperson Charlotte Healow. “We’re grateful for their efforts and pleased to see the bad actors held accountable.”
It’s not the first time fraudsters have targeted Instacart’s gig workers. In 2021, the company said hackers had broken into accounts by using login information leaked online from previous data breaches. As a result of the attacks, Instacart has been adding new layers of security, including “biometric screening” where workers are asked to provide a selfie that matches their government-issued driver’s license.
MORE ON FORBES