In terms of the impact of the data breach, the impact apparently extended to eight million user records. The threat actor was selling this database for $2,500 and provided a sample showing the type of information in the database table. The repercussions of this breach are beyond the initial exposure.
The extent of the problem was because the Home Chef database contains each user’s email, encrypted password, last four digits of their credit card, gender, age and subscription information. Also exposed was data relating gender, age, subscription information, and more.
To looking into this in greater detail Jumio CEO Robert Prigge says: “Home Chef’s breach of 8 million records puts more than customers’ meal kit delivery services at risk. Whether ordering food or playing innocent games on your phone, cybercriminals are looking for every opportunity possible to acquire user data. The exposed encrypted passwords can easily be decrypted and used to access other accounts including bank accounts, social media profiles, health insurance and more. ”
His analysis also finds that: “Other exposed information including email addresses, gender, age and last four credit card digits can be combined with other available information on the dark web to create a “fullz,” giving fraudsters everything they need to commit automated account takeover fraud.”
Prigge adds that: “It’s clear passwords (even encrypted ones) can’t be trusted to keep user data safe. As individuals are increasingly turning to online services amid the pandemic, businesses with an online presence need to be doing all they can to keep user information secure. Biometric authentication (using a person’s unique human traits to confirm identity) ensures that only the rightful owner can access their personal information.”