Home Chef, a Chicago-based meal kit and food delivery company, announced a data breach after a hacker attempted to sell information on a dark web marketplace.
Home Chef said the last four digits of a customer's credit card was accessed, as they don’t store complete payment information in their databases. Home Chef emailed affected customers. The company didn’t officially announced how many customers were impacted by the security incident, but the security site Bleeping Computer reported that hackers claimed to be selling a database of 8 million users.
The Home Chef breach was announced among 10 other companies who allegedly had databases of customer records for sale on the dark web. So far, only Home Chef and The Chronicle of Higher Education have confirmed or acknowledged a breach.
Partial credit card payment numbers were exposed in latest data breach, along with a large amount of exposed PII data. While the company indicated that full card data is not stored on its systems, having partial card data along side the other PII that was compromised can be enough for some hackers to confirm an identity. Other types of fraud that can occur as a result of the stolen data being sold on the dark web include: Synthetic Fraud, Account Takeover and New Account Opening Fraud.
Although passwords were encrypted, threat actors can use programs to decrypt the password. For users that use the same passwords on other sites, those accounts could become compromised. Dark Web crime rings are increasing as the availability of exposed PII grows substantially.
We recommend educating customers on the above types of fraud and the impact of these breaches
- Remind customers of data security best practices and common fraud schemes associated with these incidents — i.e. that they should never be contacted by their bank to verify personal information like birthdays and SSNs.
- Remind customers to regularly update passwords, especially if their information has been breached.
To read more about the impact of this breach, read our full report.