I would think that Instacart buying data obtained allegedly illegally -- even though it's allegedly their own data -- is likely a legal minefield.
In fact, my understanding is that generally buying a known ill-gotten item is illegal even in meatspace. Does it having originally been yours change that?
Lots of relatively large companies have whole lines of business based on buying dark web account dumps, and, last time I looked into it, the conclusion I reached (I'm not a lawyer, just someone who nerds out on this stuff) is that you're legally safe buying with the intention of recovering your own stolen data. You're probably crim-law safe regardless of whose data you're acquiring, as long as you're not a party to or have any kind of durable relationship with the people stealing the data.
Experian's lawyers were apparently comfortable enough with this line of work to buy a company that does it outright (CSID).
It was interesting because I'd worked at a startup, which used data from the people CSID had hired and that startup was acquired by Experian. At the startup we'd concluded this work was toxic and it'd be crazy to touch the company, we ensured the arrangement was completely at arm's length yet less than ten years later a huge public company felt it was OK to just buy the whole thing and swallow it.
In fact, my understanding is that generally buying a known ill-gotten item is illegal even in meatspace. Does it having originally been yours change that?