Home Chef, a US-based company, is a meal kit delivery service. If you don’t have time to go to the grocery store and am looking for healthy meals, you can contract with them for meal deliveries to your home. The ingredients show up in a box and you are ready to go! While not an overly complex process, this is still pertinent.
As part of the service, you would pay for the deliveries with your credit card. The company isn’t going to ship your food and hope you pay the bill. The organization does collect certain data from its clients to facilitate this, which is part of the standard operating procedure. Nearly all companies follow this model.
In this case, there was a successful attack. The compromised customer information included the customer’s name, email address, phone number, and last four digits of the credit card numbers. This would be a much bigger issue; however, the Home Chef does not retain full credit card numbers. In addition, the encrypted passwords and certain account details (e.g. frequency of deliveries and mailing addresses) were also compromised.
Home Chef has not stated how many customers were affected. As a clue to the general number, the attackers responsible for this, Shiny Hunters, claim to be selling approximately 8M records. The price of this database was $2,500. Given the number of records and the data for each record, this is not that bad of a deal. To authenticate, Shiny Hunters also provided a sample.
The attack itself also is a bit of a mystery. The company is not stating this occurred, which is unfortunate. We could use this information as a learning tool. Curiously, Home Chef did not know this had occurred, which is a bit strange as the SIEM should have picked up a bit of unusual activity since, you know, a few records (8M) were compromised and exfiltrated. Home Chef learned of this after they discovered the records were being sold on the dark web. Oops. The InfoSec group probably should have picked up on this. It is also notable, in order to complete this compromise, there would need to be a bit of time involved. It is likely the attackers had access to the systems and data for an extended period as they completed their attack.
Naturally, when this occurs, there is a lot of activity very quickly. The company did state they were taking quick and aggressive actions to investigate the breach.
Too frequently, companies are not overly aggressive in their timeline to contact law enforcement. Home Chef on the other hand handled this efficiently. And contacted them quickly. The company did email the affected customers, which was done quicker than other firms in like circumstances, which is a good thing. The company is also is recommending the customers change their passwords out of an abundance of caution. Remember, the passwords were encrypted, however, the company may have used weak encryption, which would be a problem. If these were to be decrypted, there would be a big problem for the customers. This is a good idea also due to the potential for credential stuffing, or the attackers using your password to try access for other accounts. If the users did use the same password across several domains these also should be changed. The customers should also use MFA (multi-factor authentication) moving forward as an additional feature.
Abrams, L. (2020, May 20). Home chef announces data breach after hacker sells 8M user records. Retrieved from https://www.bleepingcomputer.com/news/security/home-chef-announces-data-breach-after-hacker-sells-8m-user-records/
GearBrain Editorial Team. (2020, May 21). Data breach weekly security report: Which company lost control of your information this week. Retrieved from https://www.gearbrain.com/data-breach-cybersecurity-latest-hacks-2633724298.html
Home Chef Help Center. (2020). Home chef data security incident. Retrieved from https://support.homechef.com/hc/en-us/sections/360008878052-Home-Chef-Data-Security-Incident
Mihalcik, C. (2020, May 20). Home chef confirms data breach after customer info reportedly sold on dark web. Retrieved from https://www.cnet.com/news/home-chef-confirms-data-breach-after-customer-info-reportedly-sold-on-dark-web/
S, G. (2020, May 21). Home chef hacked-Hackers selling 8M user records on a dark web marketplace. Retrieved from https://gbhackers.com/home-chef-hacked/
Whitney, L. (2020, May 21). How home chef’s sensitive data was compromised by a cyberattack. Retrieved from https://www.techrepublic.com/article/how-home-chefs-sensitive-customer-data-was-compromised-by-a-cyberattack/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!