Wegmans Food Markets notified customers that some of their information was exposed after the company realized that two of its databases were publicly accessible on the Internet due to a configuration problem.
Wegmans is a major regional grocery chain with 106 stores in the Mid-Atlantic and Northeast regions (ie, New York, Pennsylvania, New Jersey, Virginia, Maryland, Massachusetts, and North Carolina).
The store chain was founded in 1916 and is one of the largest private companies in the US, employing more than 50,000 people.
There is no payment information exposed in the incident.
“We recently realized that due to a previously undiscovered configuration issue, two of our cloud databases, which are used for business purposes and intended to remain internal to Wegmans, were inadvertently left behind. possible external access, “said the supermarket chain. said in a Press release.
“An outside security researcher brought this issue to our attention and then we confirmed the configuration issue, starting on or around April 19, 2021.”
After the data breach was discovered, Wegmans hired a leading forensic firm to investigate the incident and correct the misconfiguration of the database.
Customer information exposed in the data breach included names, addresses, phone numbers, dates of birth, Shoppers Club numbers, and email addresses and passwords for Wegmans.com accounts.
However, according to Wegmans, the databases that only contained salty password hashes were hashed and salty, and the actual passwords were not stored in the non-secure databases.
“Social security numbers were not affected (Wegmans does not collect this information from its customers) and no payment card or bank information was involved,” the company added.
Although all affected Wegmans.com passwords were hashed, as a conservative measure, you can change the password for your Wegmans.com account, as well as any other account for which you use the same password. It’s generally a good idea to use a unique password for every online account you may have. – Wegmans
Credential stuffing attack warning three months prior
In late March, the supermarket chain also notified customers of credential stuffing attacks using credentials stolen from other online services and affecting more than 2,7,000 accounts in January.
“Your login credentials were likely obtained from another source, for example another company engagement or website, where you may have used the same or similar login credentials,” the company said. said in a notification letter shipped to affected customers in March.
“This is known as a ‘credential stuffing’ attack, which can occur when people use the same login credentials on multiple websites.”
After discovering the incident in mid-February, Wegmans discovered that attackers were able to gain access to names, phone numbers, addresses, dates of birth, and Wegmans Shoppers Club numbers associated with the compromised Wegmans.com accounts.
Credit or debit card payment information was not exposed in the incident because Wegmans does not store such information on its servers.
Wegmans also blocked the attacker’s access by forcing a password reset for all affected accounts to prevent future logins.
Affected customers were also advised not to use the same credentials (i.e. emails and passwords) for multiple online platforms, including email, banking, social media, and other retail accounts.
A spokesperson for Wegman was not available for comment when contacted by Bleeping Computer today.