The US-Based Home Chef Urges Clients to Change Passwords After a Data Breach Was Revealed
We often talk about how important it is to act quickly in the aftermath of a data breach. Companies not only need to make sure that the cybercriminals have been successfully blocked and the security holes have been plugged, but they must also inform affected customers and transparently disclose the breach to the public. Incidents like the one that befell food delivery company Home Chef shows that we'll probably need to continue repeating all this.
Home Chef – one of Shiny Hunters' victims
In early May, a new group of cybercriminals caught security experts' attention. They call themselves Shiny Hunters, and they appear to have access to a large collection of stolen information, which they are trying to monetize. First, a database taken from a popular Indonesian website called Tokopedia was put up for sale. Next, they tried to shift 22 million records stolen from an online educational platform Unacademy, and a few days later, Shiny Hunters proved once again that they are not to be underestimated.
They went back to their favorite hacking forums and announced no fewer than 10 previously unreported data breaches. They didn't claim to be responsible for the attacks, but they did point out that they have the stolen databases, and they are willing to share them in exchange for some bitcoins.
Priced between $500 and $3,500 per data set, the leaked information had been stolen from various different organizations, and as you might imagine, Home Chef is one of them. The hackers pilfered a total of 8 million records from the food delivery network, and they want $2,500 for them. For that, buyers get a substantial database that includes names, emails, phone numbers, various bits of account-related information, as well as encrypted passwords and the last four digits of people's credit or debit cards. Unfortunately, the encryption algorithm protecting the passwords remains unknown for now.
Home Chef waited for close to two weeks before it disclosed the data breach
On the whole, the details around the attack against Home Chef are somewhat scarce, but some of you could argue that we're lucky to have even that. Shiny Hunters' wholesale first made the news on May 9, when Bleeping Computer reported on it. At the time, only one (a photo album vendor called ChatBooks) of the ten affected organizations admitted that it had been targeted by cybercriminals, and although the news website tried to get in touch with everyone involved, the other companies preferred not to answer their emails. Home Chef is the second member of this group to come clean about the breach, and the way it's done it highlights the enormous problem we have with data security incidents and their disclosure.
It's been almost exactly two weeks since Shiny Hunters first told us that Home Chef has been hacked. Only the hackers can say how many people have paid for the stolen data during this period, and even they can do little more than guess how many times it's been re-shared.
The fact that it was put up for sale is not something Home Chef likes to discuss with its users. In fact, the FAQ page the company put together offers very little in the way of information. It doesn't do a very good job of giving users a clear account of what's happened, but it does showcase how many clichés companies use after they've been hit by a data breach. The only positive thing about it is that it urges users to change their passwords out of an abundance of caution.
If you are a Home Chef user, it is indeed a good idea to do that. Here are the steps:
- Log into your Home Chef account
- Click the Account dropdown menu and select Account information
- Fill out the Change Your Password form
- Click Save Your Settings
Companies appear to be convinced that they can somehow save their faces if they share little or no information about cybersecurity incidents they've been through. In the end, however, the users are the ones who could end up on the wrong end of all the different attacks enabled by data breaches, and they have every right to know what they need to look out for. The delayed disclosure and the reluctance to share details do nothing more than put the user under additional risk, and this can't be beneficial for the company's reputation.