Home Chef confirms data breach after eight million records sold on dark web


The recent breach of Home Chef, confirmed this week, after malicious actor Shiny Hunters sold eight million of its records on the dark web underscores the looming security challenge of managing employees who access business data from outside the confines of the secure network.

“With increased BYOD and remote work, acceptable usage policy enforcement is paramount to ensure delineation between work and personal apps, and information,” said Pulse Secure CISSP Scott Gordon. “The Home Chef breach shows how hackers create a domino effect that has severe security ramifications for both the individual and the enterprise” especially sense that database tapped contained email addresses, encrypted passwords, last four digits of credit cards, gender, age and subscription information. “It will be extremely easy to weaponize that data for future fraud,” he said.

Home Chef confirmed the breach after Shiny Hunters emerged as a serious dark web player following a spate of high-profile breaches, most recently claiming to have stolen data from Microsoft’s private GitHub repositories and threatening to release the code for free.

Shiny Hunters is behind the recently reported breaches of Indonesian e-commerce giant Tokopedia and Indian e-learning platform Unacademy, as well as breaches of Home Chef, online printing and photo store Chatbooks and college-oriented news site, ZeroFOX Alpha Team researchers said.

Home Chef offered scant details of the breach, confirming only that it “recently learned of a data security incident impacting select customer information” and encouraging customers to change their passwords.

Like many breached companies, Home Chef appeared to discover the problem only “after their customers’ information was already posted for sale online,” said Cerberus Sentinel vice president of solutions architecture Chris Clements, who called Home Chef’s response “very terse.”

The attackers likely “had Home Chef compromised for some time and may in fact still have access to their systems and data” where they still could ”be actively stealing customer information,” he said. “Without confirmation from Home Chef, it’s impossible to know.”

James Carder, CSO and vice president of LogRhythm, said a company the size of Home Chef and its parent Kroger “must take responsibility for ensuring that sufficient security measures are in place to protect customer data and rapidly respond to cyberthreats,” especially as the “demand for deliver services continues to grow amid the coronavirus crisis.”

Companies like Home Chef must “ensure they have proper security protocols to keep customer information safe,” agreed Chris DeRamus, vice president of technology at Rapid7. “More often than not, companies’ security and compliance practices are reactive, meaning they do not address or are unaware of a system vulnerability until after a breach occurs.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.