Cyber Incident Victim: HomeChef
Date:
May 2020
Location:
United States of America
Summary
A threat actor known as Shiny Hunters compromised the meal kit delivery service HomeChef, exfiltrating a database containing approximately eight million user records. The stolen data included email addresses, bcrypt-hashed passwords, IP addresses, phone numbers, zip codes, and partial social security numbers. The group attempted to sell this database for $2,500 on dark web forums alongside breached data from two other organizations, though no buyers were confirmed at the time of reporting. Researchers assessed the breach as legitimate, noting the hackers' pattern of targeting multiple entities and monetizing stolen credentials and personally identifiable information. The incident highlighted ongoing risks of credential reuse and unauthorized access stemming from large-scale data theft.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The HomeChef data breach occurred on or around May 3, 2020, when threat actors known as Shiny Hunters compromised the meal kit delivery service's database and offered it for sale on dark web forums. The group advertised the stolen HomeChef database on May 8, 2020, alongside breached data from ChatBooks and Chronicle.com, collectively exposing 26 million user accounts across the three organizations. HomeChef's database contained approximately 8 million user records, making it the largest and most expensive dataset in this series of breaches with an asking price of $2,500. The stolen information included email addresses, IP addresses, bcrypt-hashed passwords, phone numbers, zip codes, and partial social security numbers. Security researchers from ZeroFox's Alpha Team identified the sale listings and assessed with high confidence that the breaches were legitimate, though no buyers had purchased the HomeChef data at the time of their investigation.
Shiny Hunters employed consistent tactics across these breaches, advertising all three databases on the same dark web forum with prices ranging from $1,500 to $2,500. The HomeChef breach represented the most recent addition to their offerings when discovered, having been posted the same day ZeroFox researchers observed the activity. While the bcrypt password hashing provided some protection against immediate credential misuse, the inclusion of personally identifiable information significantly increased identity theft risks for affected users. The attackers indicated they possessed additional compromised databases from other organizations that they planned to sell in the future. ZeroFox analysts noted the lack of buyers for any of the three databases increased the likelihood they would be relisted on other markets at reduced prices, potentially expanding their availability to cybercriminals. This incident followed a pattern of high-volume data thefts by Shiny Hunters, including prior breaches at Tokopedia and Unacademy, demonstrating their continued targeting of consumer service platforms with large user bases.