Home Chef food delivery service confirms breach, two weeks after stolen data went for sale

Researchers said on May 7 that some 8 million records purloined from the Chicago firm were for sale.
Home Chef data breach
The stolen Home Chef records were for sale for $2,500 at the time they were found. (Courtesy of Home Chef)

Customers who used the Home Chef delivery service won’t be the first to know their data was stolen and put up for sale.

Nearly two weeks after security researchers said they found usernames and passwords belonging to Home Chef users for sale, the Chicago-based company said a security incident has resulted in the compromise of information about an undisclosed number of its customers. The announcement confirms prior claims from a hacking group, known only as Shiny Hunters, which alleged it had breached a number of seemingly random companies, then posted the stolen data for sale on forums frequented by cybercriminals.

“We recently learned of a data security incident impacting select customer information, including names and emails, as well as limited customer account information and encrypted passwords,” the company said in a statement. “We are taking action to investigate this situation and to strengthen our information security defenses to prevent similar incidents from happening in the future.”

Home Chef is one of a number of startups that delivers food ingredients, meal kits and recipes to customers in the United States. The grocery store chain Kroger announced in 2018 it would acquire Home Chef for $200 million, and additional $500 million in incentives over the next five years.


The company did not answer questions seeking clarification about when the breach occurred, how many of its users are affected and whether the stolen information is being used for illicit purposes.

Researchers from the security firm ZeroFOX said on May 7 that they noticed a dark web listing advertising 8 million customer records stolen from Home Chef. The records, which ZeroFOX said contained emails, passwords, encrypted passwords, IP addresses, phone numbers and the last four digits of some Social Security numbers.

The stolen records were for sale for $2,500 at the time, ZeroFOX said.

Shiny Hunters is the same dark web data broker that has tried selling 91 million customer records from the Indonesian e-commerce company Tokopedia, a photo-printing service called Chatbooks and other organizations.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts