Home Chef, a meal kit and food delivery service based in the US, today announced a data breach after a hacker sold eight million user records on a dark web marketplace.
Last week a hacking community actor called Shiny Hunters was confirmed to be selling user records on a dark web marketplace for eleven companies. The actor in the threat sold these databases for $500 to $2,500.
One of the databases being sold was the user records for Home Chef, which reportedly held 8 million user records.
The threat actor sold this database for $2,500 and provided a sample showing the data type in the database table.
This information includes email from a customer, encrypted password, last four digits of their credit card, gender , age, information about subscriptions and more.
Home Chef issues data breach notification
Now, nearly two weeks later, in a “Data Protection Incident” notice posted to their web site, Home Chef has officially disclosed the data breach.
“Protection of customer data is a top priority for Home Chef, and we work hard to safeguard our customers’ information. We recently learned of a data security incident impacting select customer information,” their data security incident FAQ states.
According to this notification, Home Chef states that the email address, name, phone number, encrypted passwords, the last four digits of credit card numbers, and other account information have been accessed from a customer.
Home Chef notes that only the last four digits of a customer’s credit card have been obtained, and that full payment information is not stored in their databases.
What Home Chef customers should do?
Although the passwords leaked in this data breach were encrypted, threat actors can use password decryption programs.
And if you are a customer of Home Chef, you can change your password to a secure and special one immediately.
When the same password was used on another site, it would be updated at every other site the uses it as well.
Be sure to use a unique and strong password at each site when changing your passwords so that a data breach is not affecting your account at other companies.