Instacart Hacks and Bots Have Fueled a Racist Class War Among Shoppers

In July, Roberta, an Instacart worker who lives on the Jersey Shore, got an email from Instacart saying her account's email and phone number had been changed. Her account had been hacked, but the hacker seemingly wasn't trying to drain her bank account. Instead, someone was actively shopping orders on her Instacart account.

Locked out of her account, Roberta contacted Instacart's shopper support (Instacart calls its gig workers “shoppers”), and learned someone had also changed her New Jersey home address to Atlanta and accepted an order at ShopRite for $21.72, according to screenshots reviewed by Motherboard. After resetting her email and password, Diana said someone hacked her Instacart account nine more times between July 1 and July 20, and accepted at least two more batches of orders.

Motherboard allowed Roberta to use her first name only for this story because she feared retaliation from Instacart or being targeted again. Since June, at least 12 gig workers on the grocery delivery platform Instacart have had their accounts taken over by hackers who changed personal information—and in some cases, accepted or shopped orders on their accounts, according to the Gig Workers Collective, a grassroots labor non-profit that organizes gig workers across the country.

Roberta and three other hacked shoppers Motherboard spoke to never learned why their accounts were hacked. "We may not be able to share full details for privacy reasons," an Instacart representative wrote to Roberta in an email reviewed by Motherboard. "But, a dedicated task force is working on investigating this case."  Five of these Instacart shoppers say Instacart deactivated their accounts, effectively firing them, after they were hacked for failing to complete orders they say they never accepted.

Hacked Instacart shoppers worry that their accounts could be used by other shoppers to earn income using their social security numbers that they will later have to pay taxes on. For those who rely on Instacart to pay for rent and food during the pandemic, getting hacked has meant that they don't have access to money for days. Their ratings and cancellations rates (which factor into the algorithms that determine who gets orders) suffer when they regain access to their accounts.

The hacking incidents, the apparent use of third-party bots to secure orders, and new workers flooding the market because of the pandemic have fueled bizarre theories on Instacart shopper Facebook groups, including that undocumented immigrants are taking their accounts and scooping up bundles of orders, which are in high demand. Some shoppers on these Instacart Facebook groups have begun calling minority Instacart shoppers “bots” and “zombies.”

"Literally saw 8 Brazilians (1 or 2 Hispanics and 1 African…it really doesn’t matter the race) at my Costco yesterday shopping big orders," a shopper posted on Facebook in April. "I was just shopping for myself but pulled out my phone to see if I could get a batch. Nope….Ughhh. Literally the most annoying thing ever seeing it in person."

"There is a video circulating on the web of Brazilian hackers [sic] taking orders and instacart does nothing," another Instacart shopper posted on Facebook. "They are people who in the great majority cannot work for the company because they do not have the necessary documents and still fuck with those who want to work honestly."

Another Instacart shopper wrote, "the Bot Shoppers are back here in Santa Clarita Calif. Walking around Costco like Zombies, not knowing where items are and asking Costco employees where to find items. They seem to have heavy accents."

The hacks coincide with a period of rapid expansion at the on-demand grocery delivery platform, which has become an essential service for many immunocompromised and elderly Americans avoiding grocery stores during the pandemic. Since April, Instacart has hired roughly half a million new gig workers and reported profitability for the first time since its 2012 founding. A spokesperson for the company told Motherboard that customer order volume was up by as much as 500 percent year-over-year. During the pandemic, as Motherboard has reported, multiple opportunists have developed automated bots that give gig workers who pay, in some cases, thousands of dollars, the advantage of being able to accept orders faster than those who can't.

As competition for an elusive supply of orders has driven shoppers into fierce competition for orders (shoppers spend hours refreshing their phones ad nauseam in order to find lucrative orders), rumors have circulated widely on Instacart social media forums, blaming the decline of available work and wages on an influx of undocumented, non-English speaking, Latinx (specifically Brazilian) immigrants. Many of these posts claim immigrants have paid for automated third-party bots that hack shoppers accounts, allowing them to shop on Instacart without social security numbers.

Motherboard spoken to a handful of Instacart shoppers who cited this theory, saying they'd either seen an influx of immigrants shopping in their stores in groups (breaking Instacart policy) during the pandemic, using strange apps that didn't look like Instacart on their phones, or else heard about the theories on social media and found them credible.

The theory has divided shoppers along political lines, sparking harsh rebukes from shoppers condemning xenophobia and racism. "I’m seeing so much racism and xenophobia being disguised as 'oh no [sic] the bots.' It’s seriously fucking disgusting," one shopper wrote on Facebook. "I’m sure bots exist but I’m not buying that they’re this massive conspiratorial problem whatsoever."

Despite the flurry of racist and xenophobic rumors, Motherboard has obtained no hard evidence indicating that bots have hacked shopper accounts, or are playing a significant part in the disappearance of work on the app, though the first documented cases of hacked and taken over accounts line up closely with the rise of opportunists using bots to snatch up orders, both began in the early months of the pandemic.

Experts say Instacart shoppers' inclination to blame immigrants and bots, as opposed to Instacart itself for overhiring, fits within a longer trend of scapegoating immigrants and technology, when workers see their earnings dry up. (Motherboard could not corroborate shoppers' claims that bot and hacking services are being purchased primarily, or at all, by undocumented immigrants). Often when workers of color and immigrants enter an industry dominated by white workers, such as manufacturing in the 1960s and nursing in the 1990s, white workers fear their working conditions and wages will suffer. (Compared to rideshare and food delivery apps like Uber, Lyft, GrubHub, and DoorDash, whose workers are often BIPOC and immigrants, Instacart's workforce looks a lot whiter, particularly outside of coastal cities. For years, the app has been popular among working-class suburban moms, seeking work that can be structured around childcare.)

"There's a long history of this. Some of it is racist scapegoating, but some of it is just muddled fear of technology [replacing their jobs]," Jamie McCallum, a professor of sociology at Middlebury College and the author of Worked Over: How Round-the-Clock Work Is Killing the American Dream, told Motherboard. "Yet neither [immigrants nor machines] have really turned out to be the bogeyman they're purported to be. Machines and immigrants don't lower wages. Bosses lower wages."

In fact, data shows that workers fear technology even more than immigrants. "Survey data shows that American workers are more afraid of being replaced by robots than by immigrants, are hesitant to apply for jobs in which applicants are sorted by algorithms, and strongly believe automation will drive down wages," McCallum writes in his book Worked Over.

On August 20, Instacart sent an email to some gig workers and published a post on Medium, explaining that two third-party support vendors that the company works with had "reviewed more shopper profiles than was necessary in their roles as support agents," including the name, email address, and telephone numbers of 2,180 shoppers, according to an email addressed to gig workers obtained by Motherboard.

None of the four shoppers that Motherboard spoke to who had their accounts hacked said they received this email, and a spokesperson for Instacart told Motherboard that no shopper data was stored, downloaded or copied in any way during the security breach. But the shoppers who have had their accounts compromised have faced severe disruption to their incomes.

After days of back-and-forth and waiting, an Instacart representative finally advised Roberta to get a new phone number and email address. "I wasted 30 hours of my life trying to get my account back," Roberta told Motherboard on the phone. "Eventually I just had to change my phone number and email entirely."

"I shop seven days a week. When I was hacked, I couldn't access my account for five days," Sharon, a shopper in Connecticut who had her account taken over in early August, told Motherboard. "I worry if this is going to happen again. I wake up every day stressed about my account. You shouldn’t have to wait five days like I did to have this fixed."

In recent months, the company has also begun addressing the unauthorized use of third-party bots, deactivating shoppers who they believe use these third-parties to secure orders, and partnering with the security platform HackerOne to develop a bot bounty program that combats third-parties their automated tools to Instacart shoppers.

When asked about shoppers who have recently had their accounts taken over, Instacart told Motherboard that hackers could have gained access by way of a phishing text and email or because the shoppers themselves gave personal information to bots in order to secure batches. None of the four hacked shoppers that Motherboard spoke to say they gave personal information to any third parties.

Angie, an Instacart shopper in North Carolina, who was hacked and subsequently deactivated in June, told Motherboard that someone changed her phone number, email, password, and bank account information and shopped two orders in a North Carolina city she had never worked in while she was on vacation in Florida. Shortly after, her account was deactivated due to two undelivered batches.

"I didn't know anything about the hack until I was deactivated. I tried to sign in when I returned from vacation and it was deactivated. I am still deactivated," she wrote to Motherboard. "[Instacart] didn't care that I was a great shopper. They didn't care that someone hacked my account and I could prove it. They didn't care that I had never shopped in these areas or stores. They didn't care about any of that."

Organizers suspect the 12 cases of shoppers having their accounts hacked and taken over are just the tip of the iceberg, considering many shoppers who have been hacked are not active on the platform, and might not notice that someone has accessed their account.

"The number of times security breaches that have happened on Instacart in and of itself should make people feel uncomfortable," said Vanessa Bain, an organizer at the Gig Workers Collective. "I do wonder if the bots and hacking are connected because they emerged at similar times, but we can't say with sincerity or knowledge that that's happening."

Over the years, security breaches have become a routine occurrence on Instacart. In July, Buzzfeed reported that the personal information of what could be hundreds of thousands of Instacart customers, including names, order histories, and credit card numbers, was being sold on the dark web. Last fall, Instacart shoppers received letters from the IRS with other Instacart shopper's personal information. For years, Instacart (and DoorDash) gig workers have reported having their accounts hacked and earnings drained.

After Motherboard published this article, a spokesperson provided the following statement: “We’re proud of the diverse community of shoppers we support across the Instacart platform and have zero tolerance for any conduct that is harassing or discriminatory in nature. Our shopper community guidelines and shopper agreement make clear that any shopper who participates in any activities that violate our guidelines is deactivated from the platform. The security of the Instacart community remains our top priority, and we’re deeply concerned about the accusations made in this story. We take the integrity of the Instacart platform very seriously and have a Trust & Safety team dedicated to monitoring the unauthorized use of the platform which includes all efforts to prevent illicit and fraudulent third-party apps from violating our terms of service. As a part of this work, our team has proactively implemented robust authentication measures to help block unauthorized access including removing and banning bad actors from the platform, taking legal action where necessary, and deactivating shoppers found to be misusing the platform.”