Home Chef 2020 Data Breach

Home Chef Meal Kit Delivery Breach (2020): 8.7 Million Customer Records Including Partial Credit Card & Passwords Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

ShinyHuntersMisconfigurationFood DeliveryCredit CardEmail AddressFull NameGeographic LocationIP AddressPasswordPhone Number
Moderate SeverityWebsite / service breach

Home Chef Meal Kit Delivery Breach (2020): 8.7 Million Customer Records Including Partial Credit Card & Passwords Exposed

Meal kit delivery service.

Verified by ObscureIQ Intelligence
54/100Breach Risk Index
18Data Value
25Market Recency
399dSince Breach

Breach Intelligence Summary

Entity: Home Chef · Actor: ShinyHunters · Sources: 7 references
Attack: Misconfiguration
Profile: Platform · Meal kit delivery services · Subscription food delivery platform · USA
Timeline: Breach (2020-02-10) · Indexed (Mar 24, 2025) · Year (2020)
Exposure: 8.7M records · 7 fields: Credit Card, Email Address, Full Name, Geographic Location, IP Address, Password, Phone Number
Status: Confirmed

Executive Summary

Home Chef, the Chicago-based meal kit delivery service owned by Kroger, suffered a data breach in May 2020 when the hacking group ShinyHunters infiltrated its systems through a misconfiguration and exfiltrated records on approximately 8.7 million customers. ShinyHunters subsequently listed the stolen data for sale on dark web marketplaces. The breach occurred while Home Chef was operating under Kroger's ownership, following its 2018 acquisition. The exposed data included customer names, email addresses, phone numbers, geographic locations, IP addresses, the last four digits of credit card numbers, and passwords stored as bcrypt hashes. While bcrypt hashing provides some protection against immediate password cracking, the combination of personal and partial financial data creates meaningful risk. Affected individuals could face phishing attempts, order fraud, and delivery impersonation. Subscription and dietary preference data, if included, may also reveal personal health or lifestyle patterns. Home Chef notified affected customers and prompted password resets following discovery of the breach. No major class-action settlement or regulatory enforcement action specific to this incident has been publicly documented. Affected customers should remain alert to phishing emails that reference their Home Chef account, monitor for any unauthorized charges, and change their password on any other service where they used the same credentials.

ObscureIQ assessment: Exposure enables phishing, order fraud, delivery impersonation, and household targeting. Subscription and dietary data may also reveal health or lifestyle patterns.

Breach Impact

In May 2020 ShinyHunters breached Home Chef systems and exfiltrated data for approximately 8 million customer accounts. The stolen dataset included email addresses, names, phone numbers, geographic locations, IP addresses, partial credit card data, and hashed passwords. ShinyHunters subsequently offered the data for sale on dark web markets. Home Chef notified customers and prompted password resets. No major class-action settlement or regulatory enforcement action specific to this breach has been prominently documented in public sources. The breach occurred under Kroger's ownership.

About Home Chef

Home Chef is a meal kit delivery service offering pre-portioned ingredients and recipes for home cooking, serving primarily the U.S. market. Founded in 2013 and headquartered in Chicago, the company was acquired by Kroger in 2018 for approximately $200 million as part of Kroger's push into meal kit and prepared foods. Home Chef competes with HelloFresh, Blue Apron, and other subscription meal kit services.

Why They Hold Your Data

Meal-kit platforms collect customer identity, addresses, payment-adjacent data, subscription records, dietary preferences, and order history across recurring food-delivery operations.

Recent Developments

Home Chef has continued operating within the Kroger family of businesses. Kroger has integrated Home Chef's meal kits into its retail store footprint through in-store pickup and branded sections, supplementing the direct-to-consumer subscription model. The meal kit category has faced sustained margin pressure. No major standalone Home Chef organizational changes have been prominently reported beyond the Kroger operational context.

Data Points Exposed

7 verified field types
Credit Card Critical
Email Address
Full Name High
Geographic Location
IP Address
Password Critical
Phone Number

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:Critical
Primary downstream threats:
  • Credential stuffing against reused passwords across other platforms
  • Financial fraud using exposed financial profile data
  • SIM swap attacks where phone numbers are present
  • Targeted phishing campaigns using exposed email addresses
  • Doxxing risk from physical address exposure
Threat vectors:
  • Card-present & card-not-present fraud
  • Card identification & social engineering
  • Phishing, credential stuffing & account takeover
  • Name-based social engineering
  • Pattern-of-life analysis & physical surveillance
  • Geolocation & account flagging
  • Credential stuffing & account takeover
  • SIM swapping, vishing & SMS phishing

Threat Actor: ShinyHunters

ShinyHunters
Misconfiguration

Attribution and method are based on available breach intelligence. Reported attack vector: Misconfiguration.

Recommended Actions

If you believe your information may be included:

Change Reused Passwords
Update this account and anywhere you reused the password; use a manager.
Password manager guide
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the Home Chef breach?

Home Chef, the Chicago-based meal kit delivery service owned by Kroger, suffered a data breach in May 2020 when the hacking group ShinyHunters infiltrated its systems through a misconfiguration and exfiltrated records on approximately 8.7 million customers. ShinyHunters subsequently listed the…

What data was exposed?

Verified fields include Credit Card, Email Address, Full Name, Geographic Location, IP Address, Password, Phone Number.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
DataBreach.com
Record & field corroboration
Breach Index
Have I Been Pwned
Record & field corroboration
Cross-source
9ghz
Independent catalogue listing
Cross-source
BreachForums_Official_Index
Independent catalogue listing
Cross-source
Dehashed
Independent catalogue listing
Cross-source
leakfind
Independent catalogue listing
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation