Meal kit services have been on popular demand during the lockdown phase of Covid-19. Earlier in the week, Home Chef confirmed a security incident that exposed the personal information of allegedly 8 million customers.
The impacted data includes email addresses, names, phone numbers, encrypted passwords and the last four digits of credit card numbers used to place orders online.
While the company confirmed that they “do not store complete credit or debit card information,” “other account information such as frequency of deliveries and mailing address may also have been compromised.”
To make matters worse, the announcement follows a previous report related to a malicious group called Shiny Hunters that was already selling user databases from 11 companies (including Home Chef) on the dark web for between $1,500 and $2,500.
How is the company addressing the data breach?
On their FAQ page, Home Chef states that, “as soon as we learned of this incident, we took prompt and aggressive steps to investigate and communicate with the Home Chef community,” and is emailing impacted customers. “We are taking action to investigate this situation and to strengthen our information security defenses to prevent similar incidents from happening in the future.”
What should impacted customers do?
While the leaked account passwords are encrypted, it’s recommended for all users to change login credentials by following the steps below:
• Visit www.homechef.com
• Click on “Log in”
• Access account information and select the “Change Your Password” function
All customers are advised to remain vigilant and monitor their Inboxes for unsolicited emails and phishing attacks. Negative effects of a data leak can haunt victims for years. If you use the same login credentials for other online platforms, change passwords on all of them.
Be wary of any suspicious phone calls, and don’t provide personal information such as Social Security numbers, bank account or credit card information to any individuals claiming to be from the company.
“Remember that we will never ask you to send sensitive information over email, and you can make any necessary changes to your accounts by logging into your account directly on our website,” the company said.