Mail-order meal kits have become even more popular as the coronavirus pandemic has kept people home and cooking on a regular basis. Unfortunately, one of these, the popular Kroger’s Home Chef service, recently served up a side of data breach along with its perfectly measured ingredients.
According to a notice posted on the Home Chef website, the company “recently learned of a data security incident impacting select customer information.” That info includes email addresses, names, phone numbers, encrypted passwords and the last four digits of credit-card numbers.
Perhaps most importantly for any fraudsters planning to use the information, “other account information such as frequency of deliveries and mailing address may also have been compromised,” Home Chef said – data that a cybercriminal could use to cook up a convincing phishing email.
The “encrypted passwords” are no guarantee against account takeover, security researchers warned.
“While the customer passwords in the leaked database were encrypted, there are tools that cybercriminals can leverage to decrypt them and potentially gain access to a number of accounts across multiple services that their victims use,” said Anurag Kahol, CTO at Bitglass, via email, adding that 65 percent of people use the same password for multiple or all of their accounts. “All consumers, not just users impacted by this incident, should improve their password hygiene by diversifying their login credentials across different accounts in order to mitigate the chances of their account being hijacked.”
The service is notifying all impacted customers and is urging password changes; it also said that “we are taking action to investigate this situation and to strengthen our information-security defenses to prevent similar incidents from happening in the future.”
It offered no details as to how the breach occurred – Threatpost has reached out for comment.
Unfortunately, meal-kit companies are a somewhat obvious target for attackers during pandemic time, according to James Carder, chief security officer and vice president of LogRhythm.
“Home Chef is one of the key players in the multi-billion-dollar meal -kit delivery industry and is owned by one of the biggest supermarket retailers, Kroger,” he said, via email. “A company of this size must take responsibility for ensuring that sufficient security measures are in place to protect customer data and rapidly respond to cyberthreats. This is especially true now, as demand for deliver services continues to grow amid the coronavirus crisis. All companies in this sector must not falsely assume that they are immune to attack just because they have become an essential service to help people during a challenging time.”
The company didn’t specify how many customers were affected, but earlier this week Bleeping Computer reported that the company was one of several caught up in the Shiny Hunters credential dump bonanza on an underground forum. In all, 8 million records were put up for sale from Home Chef starting two weeks ago, according to the outlet.
The Shiny Hunters group made a splash earlier this month, allegedly compromising 73.2 million user records from over 11 companies worldwide.
The group claimed that it broke into Microsoft’s GitHub account and stole 500 GB of data from the tech giant’s own private repositories on the developer platform. Researchers earlier this month also observed Shiny Hunters stealing log-in data for 91 million users of Indonesia’s largest e-commerce platform, Tokopedia, and then selling it on the dark web for $5,000.
Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.