As hackers sell 8 million user records, Home Chef confirms data breach

Meal kit and food delivery company Home Chef has confirmed that hackers breached its systems, making off with the personal information of customers.

Quite how the hackers breached Home Chef’s systems is unclear. In its own FAQ about the security breach, the business shares no details other than to say that it “recently learned of a data security incident impacting select customer information.”

However, earlier this month – weeks before Home Chef went public about its security breach – Bleeping Computer reported that the company was one of eleven whose breached data was being offered for sale on a dark web marketplace.

According to Lawrence Abrams of Bleeping Computer, the ShinyHunters hacking gang were offering eight million user records from Home Chef for $2,500.

ShinyHunters was offering for sale millions of stolen records from the Zoosk dating app, the photo book-making firm Chatbooks, the online art and design marketplace Minted, and others.

It seems natural to assume that Home Chef was not aware that it had suffered a data breach until cybersecurity journalists started writing about ShinyHunters’ attempt to sell the data on the underground marketplace.

According to Home Chef, information accessed by the hackers included customers’ email addresses, names, gender, phone numbers, the last four digits of credit card numbers, and “encrypted” passwords.

Quite what the Home Chef means by “encrypted” passwords is unclear, as the firm does not specify what encryption algorithm had been used (some are more resistant to cracking than others) and whether the data had been hashed (with a judicious sprinkling of salt) beforehand.

My feeling is, particularly when breached companies seem reticent to share details of how their passwords were being stored is to assume the worst – which means not only changing your password on that particular site, but also ensuring that you are not using that same password anywhere else on the internet.

And, obviously, make sure that any password you choose is not just unique, but also strong and hard to crack. A password manager is typically much better at generating (and indeed remembering!) hard to crack passwords than the human brain.

Home Chef says that it is contacting affected customers, strengthening its security systems, and sensibly is advising customers to change their passwords. In addition if you have ever used Home Chef you would be wise to keep an eye open for suspicious communications, which might be phishing attacks exploiting the breached data.