Meal kit delivery service Home Chef is the latest company to suffer a data breach, with the details of some 8 million customers stolen.

The hack was not detected by the company but only came to light after stolen customer records from the company were offered for sale on the dark web, a shady part of the internet reachable with special software. The stolen data includes email addresses, encrypted passwords, the last four digits of credit cards, gender, age, subscription information and more.

According to Bleeping Computer, the data was stolen and being offered for sale by a hacking group going by the name of Shiny Hunters.

Home Chef confirmed the hack in what is arguably one of the worst breach disclosures of recent times: It’s presented as a Q&A buried in the company’s support pages, saying it simply suffered a “data security incident” without providing much in the way of details.

In a subsection of their disclosure, the company, which was acquired by Kroger Co. in 2018, said that “we are taking action to investigate this situation and to strengthen our information security defenses to prevent similar incidents from happening in the future.”

Home Chef claims that it delivers to 98% of the United States, including California, whose Consumer Privacy Act Home Chef may have breached. How or when the hack took place is unknown.

“Home Chef’s breach of 8 million records puts more than customers’ meal kit delivery services at risk,” Robert Prigge. chief executive officer of identity verification company Jumio Corp., told SiliconANGLE. “Whether ordering food or playing innocent games on your phone, cybercriminals are looking for every opportunity possible to acquire user data.”

The problem he explained, is that exposed encrypted passwords can easily be decrypted and used to access other accounts, including bank accounts, social media profiles and health insurance accounts. “Other exposed information including email addresses, gender, age and last four credit card digits can be combined with other available information on the dark web to create a ‘fullz,’ giving fraudsters everything they need to commit automated account takeover fraud,” Prigge said.

Chris DeRamus, vice president of technology, cloud security practice at security operations firm Rapid7 Inc., said that it’s more essential than ever for companies to ensure they have proper security protocols to keep customer information safe. “More often than not, companies’ security and compliance practices are reactive, meaning they do not address or are unaware of a system vulnerability until after a breach occurs,” he said.

James Carder, chief security officer and vice president at security intelligence firm LogRhythm Inc., noted that ensuring sufficient security measures are in place to protect customer data and rapidly respond to cyberthreats is critical as demand for delivery services continues to grow amid the coronavirus crisis.

“All companies in this sector must not falsely assume that they are immune to attack just because they have become an essential service to help people during a challenging time,” he said. “Hackers exploit any organization that has access to vast amounts of valuable information, especially those in industries that generally have less security controls and advanced protections in place. Attackers go after low-hanging fruit, and Home Chef quickly became a prime target.”

Image: Home Chef