Cyber Incident Victim: Hungryhouse
Date:
Nov 2015
Location:
United Kingdom
Summary
Hungryhouse proactively reset passwords for thousands of customers after discovering their email addresses were exposed in a third-party web hosting company's data breach, despite having no direct affiliation with the compromised provider. The company confirmed payment card details remained secure and notified affected users, though the incident prompted customer complaints on social media regarding unclear communication and concerns about potential unauthorized access. Approximately 10,000 accounts were impacted by the credential reset, which was implemented as a precautionary measure following the external security incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late November 2015, Hungryhouse, an online takeaway food ordering service, initiated a password reset affecting thousands of customer accounts following the discovery of compromised user credentials linked to a third-party web hosting provider. The company’s head of security identified customer email addresses within a dataset exposed during an unrelated breach at this external hosting firm. Although Hungryhouse confirmed no direct affiliation with the breached third party and stated its own systems remained uncompromised, executives took preemptive action by forcibly resetting passwords for impacted accounts. One customer reported being informed that approximately 10,000 accounts were affected. The company assured users that financial data, including stored card details, remained secure and unaffected by this incident. Customers began receiving password reset notifications without prior solicitation, triggering immediate concerns about potential unauthorized access to their accounts.
Hungryhouse CEO Scott Fletcher publicly clarified that the password resets constituted a precautionary measure rather than a response to an internal security incident. The company communicated directly with affected users through Twitter, explaining the action as a "preventative security measure against a 3rd party" while acknowledging the lack of operational details about the external breach. Customers expressed frustration over insufficient communication channels, with multiple individuals reporting unanswered phone inquiries and demanding clarity via social media platforms. Public reactions on Twitter included concerns about bank card security, accusations of evasive responses from the company, and calls for external intervention from consumer advocacy entities. Hungryhouse committed to issuing formal email updates to customers but faced criticism for delayed transparency regarding the incident’s scope and causation. The password reset operation concluded without evidence of direct system intrusion or financial data exposure within Hungryhouse’s infrastructure.