The Shiny Hunters hacking group is quickly making a name for itself. In just a span of a couple of months, they have managed to breach large companies like Microsoft with the intent of obtaining sensitive data. As the adage says, there’s no rest for the wicked, and Shiny Hunters are back in the news for another data breach. This time, the company involved is a meal-prep delivery service called Home Chef. With the COVID-19 pandemic changing how many obtain groceries, meal-prep services have become a major hub for many. Home Chef is owned by Kroger, the largest U.S. supermarket operator.
On a dedicated webpage for customers, Home Chef reported that there had been a large data breach. They specifically stated the following:
We recently learned of a data security incident impacting select customer information... Based on the information known to date, the following information was impacted... Email address, name and phone number... Encrypted passwords... The last four digits of credit card numbers... Other account information such as frequency of deliveries and mailing address may also have been compromised.
Home Chef did not mention any specifics regarding the breach, but cybersecurity researchers were able to make some headway on their own. As reported by Bleeping Computer, Shiny Hunters were uncovered to be culprits thanks to a monetized data dump on a dark web forum. The data dump was a cluster of databases belonging to 11 different companies, including Home Chef. Shiny Hunters was charging $2,500 for the database, which was purported to have 8 million records of “a user’s email, encrypted password, last four digits of their credit card, gender, age, subscription information, and more.”
It is not confirmed at this time how Shiny Hunters gained access to Home Chef, but some experts have theories at least explaining why they were targeted. In an interview with Tara Seals of Kaspersky Lab’s Threatpost, James Carder, chief security officer and vice president of LogRhythm, stated the following:
Home Chef is one of the key players in the multibillion-dollar meal-kit delivery industry and is owned by one of the biggest supermarket retailers, Kroger... A company of this size must take responsibility for ensuring that sufficient security measures are in place to protect customer data and rapidly respond to cyberthreats. This is especially true now, as demand for deliver services continues to grow amid the coronavirus crisis. All companies in this sector must not falsely assume that they are immune to attack just because they have become an essential service to help people during a challenging time.
This is not, unfortunately, the last time Shiny Hunters will strike if their M.O. is anything to go by. Should they strike again, TechGenix will keep you informed.
Featured image: Shutterstock