Today, it is announced that an 8 million user records have been sold by a hacker on a dark web marketplace after breaching data from the US-based meal kit and food delivery service known as the Home Chef. And this database has been sold with a price of $2,500 and a sample is provided showcasing the information in the database table.
Home Chef is one of the key players in the multi-billion-dollar meal kit delivery industry and is owned by one of the biggest supermarket retailers, Kroger. A company of this size must take responsibility for ensuring that sufficient security measures are in place to protect customer data and rapidly respond to cyberthreats. This is especially true now, as demand for deliver services continues to grow amid the coronavirus crisis. All companies in this sector must not falsely assume that there are immune to attack just because they have become an essential service to help people during a challenging time. Hackers exploit any organisation that has access to vast amounts of valuable information – no matter the industry.
Unfortunately, Home Chef’s reported data breach has compromised the account credentials, as well as other personal and financial data, of 8 million users records. There are still many unknowns around how the hackers gained access to the database, and at the end of the day, it is Home Chef’s duty to disclose the details of the breach, ensuring that the specific attack vector has been remediated and that controls have been put in place to prevent and respond moving forward.
It is evident that Home Chef lacked stringent security strategies. Passwords were only protected by weak encryption, which hackers can easily decrypt using software. For some users, passwords are their only line of defence on the web and, unfortunately, the majority of users do not practice strong password hygiene. Bad actors will eagerly leverage this valuable information for several attack strategies, from brute force logins to spear phishing. In a recent Google survey, 52% of respondents reported reusing the same password across multiple accounts. When massive breaches like this occur, it puts millions of vulnerable consumers at risk. As such, companies must make it a priority to stay vigilant and protect their data assets. Advanced monitoring and detection controls are key in avoiding and staying ahead of critical breaches like this one
Companies are increasingly shifting their business models online, especially now due to new remote work policies amid the coronavirus crisis. Food delivery services such as Home Chef are currently in great demand and for customers to use these services, they must first create accounts with email addresses and passwords as well as other personal and financial data. Home Chef must ensure that the account data it collects and manages on millions of uses’ is properly protected.
Compromised credentials still account for over 80% of hacking-related data breaches, making credential theft a worthy target for sophisticated hackers like Shiny Hunters. Considering that 99% of employees reuse passwords across an average of 2.7 work and personal accounts, it is highly likely that this breach compromised many more millions of accounts beyond the Home Chef accounts alone. For Home Chef, this breach should serve as a rude awakening to ensure a strong security posture is met, including implementation of an effective multifactor authentication strategy for access to all customer data. For consumers and enterprises, this is a similar wake-up call to leverage multifactor authentication whenever possible, and to stop reusing passwords across sites.
It’s more essential than ever for companies like Home Chef, a meal kit and delivery service, to ensure they have proper security protocols to keep customer information safe. More often than not, companies’ security and compliance practices are reactive, meaning they do not address or are unaware of a system vulnerability until after a breach occurs.
However, to properly protect consumer data, organizations must transition to more modern, proactive security measures. Companies should deploy automated security solutions that can detect vulnerabilities in real time and trigger instant remediation or alert the appropriate personnel of the issue before customer privacy is compromised. Organizations should also implement multi-factor authentication (MFA) for all users on their systems, securely manage service accounts and their corresponding keys, and enforce best practices for the use of audit logs and cloud logging roles.
Attackers define the rules of engagement when it comes to carrying out data breaches, and attackers selling stolen data with the goal of monetary gain is nothing new. There is high demand for such information on the dark web to further carry out phishing campaigns, and similar attacks.
Passwords—even encrypted passwords—can be cracked. If a hacker succeeds in accessing password data, it could be a key element in carrying out additional attacks. When we add email addresses to those cracked passwords, attackers may now be able to enter other services such as bank accounts, e-commerce sites, among many others. A particularly concerning element here is that users often recycle passwords across multiple accounts which makes things easy for attackers if they successfully get their hands on this information. For this reason, it’s of great importance to create unique passwords and to change passwords on a regular basis. I would urge users of one or more of the affected services to immediately change their passwords as a precaution.
With regards to the last four digits of your credit card number, if you believe this is useless data without the full number, think again. Some services require you to only enter the last 4 numbers to confirm your identity. As such this data can be of use to attackers with the knowledge of how to make the most of such information. If you’re concerned that your card information may have been exposed, get in touch with your bank and credit card providers to ask for their guidance. It’s also a good practice for everyone to keep a close eye on the transactions being processed on your cards and accounts so as to avoid fraud and theft.
This is an example of how companies of all sizes and in all industries need to ensure they are protecting their customer data. In this case, the bad actor is selling the 8 million records for only $500 to $2500, but the cost to the company and potentially to their customers, will far exceed that.
While the information may not seem extremely useful at first glance, bad actors can use this information to craft very targeted attacks to these customers. By having email addresses, street addresses, phone numbers and the last four digits of a credit card number, scammers could very effectively impersonate someone from the breached organization, make some phone calls and request updated credit card information, passwords, etc. using social engineering techniques.
In addition, depending on the encryption techniques and strength used, attackers could potentially decrypt passwords. While customers may change their password at this site, the bad guys know that people tend to reuse passwords across the internet and could use these credentials to perform something called a “credential stuffing” attack. This is where the bad guys take known credentials from one website and try to use it to log into other sites such as banking, other shopping sites, email accounts, etc.
Victims of this breach should ensure that their passwords are changed at this site as well as anywhere else it\’s being used. They should consider enabling multi-factor authentication wherever possible and look into the use of password vaults, which generate random passwords for each site, eliminating reuse, and store them in a secure and easy to use way. Victims should also be aware that they may be a target of phishing or vishing schemes where scammers would call them using this information they have and try to get them to give up further information.