Home Chef, one of the largest meal kit delivery services based in the U.S. has suffered a data breach that has seen details of eight million of its customers being sold online.
Home Chef confirmed that the company “recently learned of a data security incident impacting select customer information,” in a statement on its website, and looks to be one of a number of victims of a widespread campaign by a group known as the Shiny Hunters.
According to Home Chef’s FAQ, “based on the information known to date, the following information was impacted in the incident: email address, name and phone number, encrypted passwords, the last four digits of credit card numbers, other account information such as frequency of deliveries and mailing address may have been compromised.”
“We are taking action to investigate this situation and to strengthen our information security defenses to prevent similar incidents from happening in the future,” the company said.
BleepingComputer is reporting that a hacking collective known as the ‘Shiny Hunters’ that managed to steal more than 73 million user records from a collective of 11 companies around the globe is responsible for the leak of Home Chef personal information. They report that “Shiny Hunters continued their rampage by claiming to hack into Microsoft’s GitHub account earlier this year and leaking files from the company’s private source code repositories.”
Considering that names, email addresses, and order information was potentially implicated in the data breach, there’s ample amounts of information for scammers and cybercriminals to launch extremely convincing phishing campaigns using personalised information. Analysts have also pointed out that encrypted passwords aren’t fully protected, either.
Tech Radar is reporting that “Shiny Hunters was recently selling user records of eleven companies on a dark web marketplace from $500 to $5,000 depending on the number of records each database contained.”
Shiny Hunters is reportedly flooding the dark web’s market, with a total of 11 user databases on offer now.
Home Chef has told its customers that “protection of customer data is a top priority for Home Chef, and we work hard to safeguard our customers’ information,” and that the company was “taking action to investigate this situation and to strengthen our information security defenses to prevent similar incidents from happening in the future.”
Anurag Kahol, CTO of Bitglass told Threat Post that “while the customer passwords in the leaked database were encrypted, there are tools that cybercriminals can leverage to decrypt them and potentially gain access to a number of accounts across multiple services that their victims use.”
Kahol told Threat Post that more than 65% of individuals re-use passwords across multiple account logins.
“All consumers, not just users impacted by this incident, should improve their password hygiene by diversifying their login credentials across different accounts in order to mitigate the chances of their account being hijacked,” Kahol concluded.
That report also quotes James Carder who is the chief security officer and vice president of LogRhythm who said that “Home Chef is one of the key players in the multi-billion dollar meal kit delivery industry and is owned by one of the biggest supermarket retailers, Kroger.”
“A company of this size must take responsibility for ensuring that sufficient security measures are in place to protect customer data and rapidly respond to cyberthreats. This is especially true now, as demand for delivery services continues to grow amid the coronavirus crisis. All companies in this sector must not falsely assume that they are immune to attack just because they have become an essential service to help people during a challenging time.