Chefs cooking in kitchen showing the Home Chef meal kit service’s data breach that is likely to be orchestrated by hacking group Shiny Hunters

Meal Kit Service Home Chef Concedes Major Breach by Shiny Hunters

After suffering a large data breach announced on May 20, Chicago based food delivery and meal kit service Home Chef has conceded that over 8 million user records were sold on a dark web marketplace in an incident that was likely orchestrated by hacking group Shiny Hunters.

According to a digital investigation by Bleeping Computer, the group was selling the user records of eleven companies over a dark web marketplace for between $500 and $2,500 per database. Meal kit service Home Chef was one of the companies on the list, with its stolen database allegedly containing 8 million individual user records.

How the delivery and meal kit service Home Chef became a target

The first suspicions that something had gone wrong arose on May 7, when researchers from the security firm ZeroFOX noticed a dark web listing advertising 8 million customer records stolen from the meal kit service, as well as records from other companies.

The records—which ZeroFOX said at the time contained emails, passwords, encrypted passwords, IP addresses, phone numbers and the last four digits of some Social Security numbers—were reportedly up for sale for $2,500.

The investigation was quickly picked up by journalists at Bleeping Computer, who emailed the findings of their investigation to Home Chef. Two weeks later, the meal kit service officially acknowledged that a data breach had indeed taken place, publishing a statement and answering questions on their website.

“We recently learned of a data security incident impacting select customer information, including names and emails, as well as limited customer account information and encrypted passwords,” the meal kit service conceded in a statement. “We are taking action to investigate this situation and to strengthen our information security defenses to prevent similar incidents from happening in the future.”

According to an official Home Chef FAQ written up in light of data security concerns, the meal kit service acknowledges that among the stolen data points were email addresses, names, phone numbers, encrypted passwords, the last four digits of credit card numbers, and other account information that was accessed by Shiny Hunters.

What we know about Shiny Hunters

The Shiny Hunters hacking group was allegedly responsible for compromising all eleven companies on the dark web list, which resulted in more than 73.2 million user records being accessed globally in total.

According to security news network Cyberscoop, Shiny Hunters has a long record of so-called “data brokering”. According to reports, it is the same group that had tried selling 91 million customer records from e-commerce platform Tokopedia, photo-printing service Chatbooks, and many other organizations.

The group remains elusive, and very little definitive information is out there explaining its origin. Shiny Hunters appears to make its business by selling stolen data on the dark web, in precisely the same way as it had done to meal kit service Home Chef.

According to a person claiming to be a member of Shiny Hunters, who spoke to Wired, the process of hijacking sensitive information from companies is “not too hard”.

“It’s just a way to make money, but if companies are afraid and want their database taken off the market, they can contact me for an agreement, it has been done recently and both sides were satisfied,” the alleged Shiny Hunters member explained over instant message.

What to remember—for employees and employers

Evidence is increasingly showing that malware and data breaches are on the rise across the world. More and more, falling victim to hacking is becoming yet another threat with which businessowners must contend in an ever-changing risk landscape.

However, there are simple steps that workers and leaders alike can take to mitigate the risk of Home Chef-style cyber extortion from occurring.

According to Vinay Sridhara, the CTO of cybersecurity risk firm Balbix, the first risk exposure factor that place Home Chef vulnerable position was the rapid extension of its delivery and meal kit service to meet the demand brought about by the ongoing coronavirus pandemic.

“Companies are increasingly shifting their business models online, especially now due to new remote work policies amid the coronavirus crisis,” explains Sridhara. “Food delivery services such as Home Chef are currently in great demand and for customers to use these services, they must first create accounts with email addresses and passwords as well as other personal and financial data.”

Sridhara goes on to point out that compromised credentials lie at the heart of many vulnerabilities, and that employees themselves have an important role to play in securing their own data and, by extension, the data of their company.

“Home Chef must ensure that the account data it collects and manages on millions of users is properly protected,” continues Sridhara. “Compromised credentials still account for over 80% of hacking-related data breaches, making credential theft a worthy target for sophisticated hackers like Shiny Hunters.”

He adds that, considering that around 99% of employees reuse passwords across an average of 2.7 work and personal accounts, “it is highly likely that this breach compromised many more millions of accounts beyond the Home Chef accounts alone.”

In this way, cyberattacks of this kind serve as a “rude awakening” for companies, and speak to the importance of incorporating methods such as multifactor authentication into computer networks.

“For Home Chef, this breach should serve as a rude awakening to ensure a strong security posture is met, including implementation of an effective multifactor authentication strategy for access to all customer data,” concluded Sridhara. “For consumers and enterprises, this is a similar wake-up call to leverage multifactor authentication whenever possible, and to stop reusing passwords across sites.”