Shipt has suffered a massive security breach

The tech giant (Target owned) Shipt (known by many as a grocery delivery service) has partnered with Stripe, a payment processor company, and launched a new feature for Shoppers called “Instant Pay,” which allows Shoppers to cash out their earnings in an instant to their bank accounts without having to wait until payday.

Many gig companies such as Instacart and DoorDash have enabled this feature for their Shoppers and Delivery Drivers over the past few years. It’s allowed convenience for those in need of cash money now.

In recent months, there’s been an increase of reports that Shipt Shoppers’ accounts have been compromised. One such feature report includes an individual who claims he was contacted by scammers claiming to be a Shipt Shopper Support agent, later finding out it was all a plot to get his account credentials. He lost his hard earned $500 to a scammer.

Watch below. (switch quality to 720p )

Laymon’s unique situation above is different from the following due to a difference in the way the information was obtained. He fell for a scammer, but recent reports in the past few weeks have been from hacks, not scammers. The video has garnered national attention and other Shoppers who’ve experienced similar issue(s) have come forward to share their stories.

According to Shoppers, some of the ways they’ve been noticing suspicious activities in their accounts is when they start receiving emails that contain a reset password email with a link. Whether these emails and the link are legitimate or not, is unclear.

Others have claimed to just randomly had their accounts hacked into (despite two factor authentication) and drained of their funds—without providing any information to anyone and/or receiving any emails about resetting their password.

Many Shoppers have been left in the dark about what is truly happening. There has been no email or updates from Shipt. This is a very important factor to consider because there is discourse among Shipt Shoppers that this is happening because Shoppers are not enabling 2FA, but many Shoppers dispute this, as explained in this article.

But what does the partnership with Stripe have anything to do with this?

According to Shoppers, once the instant pay feature has been used (even just once), there appears to be problems with Shopper accounts getting compromised. The problem is so widespread that Shipt has continuously sent out emails on their weekly newsletter(s) telling Shoppers to enable two factor authentication.

IMPORTANT: Even if two factor authentication is enabled, the hackers somehow find a way to hack their way into Shoppers’ accounts. Many shoppers have found themselves perplexed as to how hackers were able to gain access to accounts, some presuming the breach came internally by Shipt headquarters support staff. Others are saying that it might be former disgruntled Shipt HQ employee(s) (not Shipt Shoppers) who are causing headaches for workers.

In addition to this, there’s also been reports from individuals that haven’t used the Instant Payout feature being compromised as well.

Once a Shoppers account has been found to have been compromised, Shipt will temporarily deactivate their account while they investigate the issue, causing hardship and a loss of income for workers.

The effects vary from Shopper to Shopper. Some say their accounts have been drained of their hard earned money. Others are saying that they, too, received a password reset email without them requesting it. But the consensus remains the same: a massive breach has happened and Shipt has not taken responsibility nor admitted a potential security breach.

Despite these efforts by Shipt to protect accounts, Shoppers’ Accounts continue to remain compromised.

Shipt has not publicly come out that they’ve suffered this, but Shoppers say otherwise. It is unclear how hackers are obtaining email addresses from Shoppers. A few questions Shoppers have highlighted:

• What exactly is going on?!

• How are MANY Shoppers suffering from this issue?

  • And more specifically, how many are affected?

• Where are the hackers getting email addresses from?

  • In order for a Shopper to receive a password reset email, they have to request a password reset email and must enter their email address in order for the system to send this email out. Clearly there must be a list out there of some sort.

• If Shipt was breached, why haven’t they said anything?

• How have hackers been able to get into accounts, clearly bypassing Shipt’s security (despite some having two factor authentication on)?

They’ve neither validated or denied the allegations that they’ve suffered a breach, but one thing remains for sure: this issue is still happening, despite their ramped up security efforts.

Have you been personally affected?

We would love to hear from you.
Please fill out this anonymous survey if you’d like: Shipt Breach Survey

Your response will help us gather further information on how far this breach has affected Shoppers and will allow us to continue our advocacy on this issue.