Cyber Incident Victim: Weee!

Weee!, an Asian and Hispanic grocery delivery service operating across 48 U.S. states, suffered a data breach confirmed on February 6, 2023, though the company stated it became aware of the incident shortly before public disclosure. Threat actor "IntelBroker" leaked a database on the Breached hacking forum on February 8, 2023, claiming it contained information for 11 million customers of "Sayweee" (an apparent reference to Weee!). The compromised data included first and last names, email addresses, phone numbers, device types (iOS/Android/PC), order numbers, order notes or comments, and delivery addresses. Weee! confirmed to BleepingComputer that customer payment information was not exposed, as the company does not retain payment data in its systems. The breach impacted customers who placed orders between July 12, 2021, and July 12, 2022.

Troy Hunt of the Have I Been Pwned service analyzed the dataset and determined it contained 1.1 million unique email addresses, contradicting the threat actor's claim of 11 million records—the discrepancy likely resulted from duplicate entries created when customers placed multiple orders. Weee! notified all customers about the breach and committed to individually contacting those whose information was confirmed exposed. The company initiated a security review following the incident, emphasizing its commitment to maintaining community trust. Have I Been Pwned added the dataset to its notification service, enabling affected individuals to verify their exposure status. No technical details regarding breach methodology, intrusion timelines, or system vulnerabilities were disclosed by Weee! or corroborated by third-party investigators in the available source material. The incident exposed sensitive personal identifiers but no financial data or authentication credentials.