Home Chef Data Breach: Experts Commentary

Today, it is announced that an 8 million user records have been sold by a hacker on a dark web marketplace after breaching data from the US-based meal kit and food delivery service known as the Home Chef. And this database has been sold with a price of $2,500 and a sample is provided showcasing the information in the database table.

Experts Comments

May 21, 2020
Boris Cipot
Senior Sales Engineer
Synopsys
Attackers define the rules of engagement when it comes to carrying out data breaches, and attackers selling stolen data with the goal of monetary gain is nothing new. There is high demand for such information on the dark web to further carry out phishing campaigns, and similar attacks. Passwords—even encrypted passwords—can be cracked. If a hacker succeeds in accessing password data, it could be a key element in carrying out additional attacks. When we add email addresses to those.....Read More
Attackers define the rules of engagement when it comes to carrying out data breaches, and attackers selling stolen data with the goal of monetary gain is nothing new. There is high demand for such information on the dark web to further carry out phishing campaigns, and similar attacks. Passwords—even encrypted passwords—can be cracked. If a hacker succeeds in accessing password data, it could be a key element in carrying out additional attacks. When we add email addresses to those cracked passwords, attackers may now be able to enter other services such as bank accounts, e-commerce sites, among many others. A particularly concerning element here is that users often recycle passwords across multiple accounts which makes things easy for attackers if they successfully get their hands on this information. For this reason, it’s of great importance to create unique passwords and to change passwords on a regular basis. I would urge users of one or more of the affected services to immediately change their passwords as a precaution. With regards to the last four digits of your credit card number, if you believe this is useless data without the full number, think again. Some services require you to only enter the last 4 numbers to confirm your identity. As such this data can be of use to attackers with the knowledge of how to make the most of such information. If you’re concerned that your card information may have been exposed, get in touch with your bank and credit card providers to ask for their guidance. It’s also a good practice for everyone to keep a close eye on the transactions being processed on your cards and accounts so as to avoid fraud and theft.  Read Less
May 21, 2020
Erich Kron
Security Awareness Advocate
KnowBe4
This is an example of how companies of all sizes and in all industries need to ensure they are protecting their customer data. In this case, the bad actor is selling the 8 million records for only $500 to $2500, but the cost to the company and potentially to their customers, will far exceed that. While the information may not seem extremely useful at first glance, bad actors can use this information to craft very targeted attacks to these customers. By having email addresses, street addresses, .....Read More
This is an example of how companies of all sizes and in all industries need to ensure they are protecting their customer data. In this case, the bad actor is selling the 8 million records for only $500 to $2500, but the cost to the company and potentially to their customers, will far exceed that. While the information may not seem extremely useful at first glance, bad actors can use this information to craft very targeted attacks to these customers. By having email addresses, street addresses, phone numbers and the last four digits of a credit card number, scammers could very effectively impersonate someone from the breached organization, make some phone calls and request updated credit card information, passwords, etc. using social engineering techniques. In addition, depending on the encryption techniques and strength used, attackers could potentially decrypt passwords. While customers may change their password at this site, the bad guys know that people tend to reuse passwords across the internet and could use these credentials to perform something called a “credential stuffing” attack. This is where the bad guys take known credentials from one website and try to use it to log into other sites such as banking, other shopping sites, email accounts, etc. Victims of this breach should ensure that their passwords are changed at this site as well as anywhere else it's being used. They should consider enabling multi-factor authentication wherever possible and look into the use of password vaults, which generate random passwords for each site, eliminating reuse, and store them in a secure and easy to use way. Victims should also be aware that they may be a target of phishing or vishing schemes where scammers would call them using this information they have and try to get them to give up further information.  Read Less
May 21, 2020
Chris Clements
VP
Cerberus Sentinel
Unfortunately like the vast majority of breached companies, it appears that Home Chef was only alerted that there was a problem after their customers’ information was already posted for sale online. It’s likely that the attackers had Home Chef compromised for some time and may in fact still have access to their systems and data. They could still be actively stealing customer information. Without confirmation from Home Chef, it’s impossible to know. The “move fast and break things” .....Read More
Unfortunately like the vast majority of breached companies, it appears that Home Chef was only alerted that there was a problem after their customers’ information was already posted for sale online. It’s likely that the attackers had Home Chef compromised for some time and may in fact still have access to their systems and data. They could still be actively stealing customer information. Without confirmation from Home Chef, it’s impossible to know. The “move fast and break things” mentality of many startups often means that security is an afterthought. Sadly, it’s the customers end up paying the price for their lack of security focus in such cases. Home Chef’s messaging in response has been very terse stating only that some of their data was compromised and that they are investigating while encouraging users to change their passwords.  Read Less
May 21, 2020
Robert Prigge
CEO
Jumio
Home Chef’s breach of 8 million records puts more than customers’ meal kit delivery services at risk. Whether ordering food or playing innocent games on your phone, cybercriminals are looking for every opportunity possible to acquire user data. The exposed encrypted passwords can easily be decrypted and used to access other accounts including bank accounts, social media profiles, health insurance and more. Other exposed information including email addresses, gender, age and last four credit .....Read More
Home Chef’s breach of 8 million records puts more than customers’ meal kit delivery services at risk. Whether ordering food or playing innocent games on your phone, cybercriminals are looking for every opportunity possible to acquire user data. The exposed encrypted passwords can easily be decrypted and used to access other accounts including bank accounts, social media profiles, health insurance and more. Other exposed information including email addresses, gender, age and last four credit card digits can be combined with other available information on the dark web to create a “fullz,” giving fraudsters everything they need to commit automated account takeover fraud. It’s clear passwords (even encrypted ones) can’t be trusted to keep user data safe. As individuals are increasingly turning to online services amid the pandemic, businesses with an online presence need to be doing all they can to keep user information secure. Biometric authentication (using a person’s unique human traits to confirm identity) ensures that only the rightful owner can access their personal information.  Read Less
May 22, 2020
James Carder
Chief Information Security Officer & Vice President
LogRhythm Labs
Home Chef is one of the key players in the multi-billion-dollar meal kit delivery industry and is owned by one of the biggest supermarket retailers, Kroger. A company of this size must take responsibility for ensuring that sufficient security measures are in place to protect customer data and rapidly respond to cyberthreats. This is especially true now, as demand for deliver services continues to grow amid the coronavirus crisis. All companies in this sector must not falsely assume that there.....Read More
Home Chef is one of the key players in the multi-billion-dollar meal kit delivery industry and is owned by one of the biggest supermarket retailers, Kroger. A company of this size must take responsibility for ensuring that sufficient security measures are in place to protect customer data and rapidly respond to cyberthreats. This is especially true now, as demand for deliver services continues to grow amid the coronavirus crisis. All companies in this sector must not falsely assume that there are immune to attack just because they have become an essential service to help people during a challenging time. Hackers exploit any organisation that has access to vast amounts of valuable information – no matter the industry. Unfortunately, Home Chef’s reported data breach has compromised the account credentials, as well as other personal and financial data, of 8 million users records. There are still many unknowns around how the hackers gained access to the database, and at the end of the day, it is Home Chef’s duty to disclose the details of the breach, ensuring that the specific attack vector has been remediated and that controls have been put in place to prevent and respond moving forward. It is evident that Home Chef lacked stringent security strategies. Passwords were only protected by weak encryption, which hackers can easily decrypt using software. For some users, passwords are their only line of defence on the web and, unfortunately, the majority of users do not practice strong password hygiene. Bad actors will eagerly leverage this valuable information for several attack strategies, from brute force logins to spear phishing. In a recent Google survey, 52% of respondents reported reusing the same password across multiple accounts. When massive breaches like this occur, it puts millions of vulnerable consumers at risk. As such, companies must make it a priority to stay vigilant and protect their data assets. Advanced monitoring and detection controls are key in avoiding and staying ahead of critical breaches like this one  Read Less
May 22, 2020
Dr. Vinay Sridhara
CTO
Balbix
Companies are increasingly shifting their business models online, especially now due to new remote work policies amid the coronavirus crisis. Food delivery services such as Home Chef are currently in great demand and for customers to use these services, they must first create accounts with email addresses and passwords as well as other personal and financial data. Home Chef must ensure that the account data it collects and manages on millions of uses’ is properly protected. Compromised.....Read More
Companies are increasingly shifting their business models online, especially now due to new remote work policies amid the coronavirus crisis. Food delivery services such as Home Chef are currently in great demand and for customers to use these services, they must first create accounts with email addresses and passwords as well as other personal and financial data. Home Chef must ensure that the account data it collects and manages on millions of uses’ is properly protected. Compromised credentials still account for over 80% of hacking-related data breaches, making credential theft a worthy target for sophisticated hackers like Shiny Hunters. Considering that 99% of employees reuse passwords across an average of 2.7 work and personal accounts, it is highly likely that this breach compromised many more millions of accounts beyond the Home Chef accounts alone. For Home Chef, this breach should serve as a rude awakening to ensure a strong security posture is met, including implementation of an effective multifactor authentication strategy for access to all customer data. For consumers and enterprises, this is a similar wake-up call to leverage multifactor authentication whenever possible, and to stop reusing passwords across sites.  Read Less
May 22, 2020
Chris DeRamus
VP of Technology Cloud Security Practice
Rapid7
It’s more essential than ever for companies like Home Chef, a meal kit and delivery service, to ensure they have proper security protocols to keep customer information safe. More often than not, companies’ security and compliance practices are reactive, meaning they do not address or are unaware of a system vulnerability until after a breach occurs. However, to properly protect consumer data, organizations must transition to more modern, proactive security measures. Companies should deploy .....Read More
It’s more essential than ever for companies like Home Chef, a meal kit and delivery service, to ensure they have proper security protocols to keep customer information safe. More often than not, companies’ security and compliance practices are reactive, meaning they do not address or are unaware of a system vulnerability until after a breach occurs. However, to properly protect consumer data, organizations must transition to more modern, proactive security measures. Companies should deploy automated security solutions that can detect vulnerabilities in real time and trigger instant remediation or alert the appropriate personnel of the issue before customer privacy is compromised. Organizations should also implement multi-factor authentication (MFA) for all users on their systems, securely manage service accounts and their corresponding keys, and enforce best practices for the use of audit logs and cloud logging roles.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.