Home Chef has confirmed a major breach of customers’ personal information, potentially affecting millions of users.
The Chicago-headquartered meal delivery service revealed in a notice on its website that email addresses, encrypted passwords, last four digits of credit card numbers and “other account information such as frequency of deliveries and mailing address” were among the compromised details.
“We are taking action to investigate this situation and to strengthen our information security defenses to prevent similar incidents from happening in the future,” it said.
Although passwords were scrambled, the firm urged customers to reset their credentials anyway. Its encryption of passwords and only partial storage of credit card details will limit the risk exposure to customers, but other personal details could be used to craft convincing phishing attacks spoofing the brand.
“You should also remain vigilant against phishing attacks and monitor your accounts for any suspicious activity,” said Home Chef. “Remember that we will never ask you to send sensitive information over email, and you can make any necessary changes to your accounts by logging into your account directly on our website.”
Although the firm claimed that only “select customer information” was taken, a dark web trader claims to have as many as eight million records up for sale.
Boris Cipot, senior security engineer at Synopsys, argued that even Home Chef’s efforts to minimize risk exposure may be undone.
"Passwords — even encrypted passwords — can be cracked. If a hacker succeeds in accessing password data, it could be a key element in carrying out additional attacks. When we add email addresses to those cracked passwords, attackers may now be able to enter other services such as bank accounts, e-commerce sites, among many others,” he argued.
“With regards to the last four digits of your credit card number, if you believe this is useless data without the full number, think again. Some services require you to only enter the last four numbers to confirm your identity. As such this data can be of use to attackers with the knowledge of how to make the most of such information."