US Supermarket Chain Wegmans Notifies Customers of Data Breach

Wegmans Food Markets notified customers that some of their information was exposed after the company became aware that two of its databases were publicly accessible on the Internet because of a configuration issue.

Wegmans is a 106-store major regional supermarket chain with stores in the mid-Atlantic and Northeastern regions (i.e., New York, Pennsylvania, New Jersey, Virginia, Maryland, Massachusetts, and North Carolina).

The store chain was founded in 1916, and it is one of the largest private companies in the US, employing more than 50,000 people.

No payment information exposed in the incident

“We recently became aware that, due to a previously undiscovered configuration issue, two of our cloud databases, which are used for business purposes and are meant to be kept internal to Wegmans, were inadvertently left open to potential outside access,” the supermarket chain said in a press release.

“This issue was first brought to our attention by a third-party security researcher and we then confirmed the configuration problem, beginning on or about April 19, 2021.”

After the data breach was discovered, Wegmans hired a leading forensics firm to investigate the incident and correct the database misconfiguration.

Customer information exposed in the data breach included names, addresses, phone numbers, birth dates, Shoppers Club numbers, and Wegmans.com account e-mail addresses and passwords.

However, according to Wegmans, the databases contained only salted password hashes were both hashed and salted, with the actual passwords not being stored in the unsecured databases.

Also Read: Data Protection Officer Singapore | 10 FAQs

“Social security numbers were not impacted (Wegmans does not collect this information from its customers) nor was any payment card or banking information involved,” the company added.

Although all affected Wegmans.com passwords were protected through hashing, as a conservative measure, you can change the password to your Wegmans.com account, as well as for any other account for which you use the same password. It is generally a good idea to use a unique password for each online account you may have. – Wegmans

Credential stuffing attack warning three months earlier

In late March, the supermarket chain also notified customers of credential stuffing attacks using credentials stolen from other online services and affecting more than 2,7000 accounts in January.

“It is likely that your login credentials were taken from another source, for example, the compromise of another company or website, where you may have used the same or similar login credentials,” the company said in a notification letter sent to impacted customers in March.

“This is known as a ‘credential stuffing’ attack, which can occur when individuals use the same login credentials on multiple websites.”

After discovering the incident in mid-February, Wegmans found that the attackers could gain access to names, phone numbers, addresses, dates of birth, and Wegmans Shoppers Club Numbers associated with the compromised Wegmans.com accounts.

Credit or debit card payment information was not exposed in the incident because Wegmans does not store such info on their servers.

Also Read: The DNC Singapore: Looking at 2 Sides Better

Wegmans also blocked the attacker’s access by forcing a password reset for all affected accounts to prevent future logins.

Impacted customers were also advised no to use the same credentials (i.e., emails and passwords) for multiple online platforms, including email, banking, social media, and other retailer accounts.

A Wegmans spokesperson was not available for comment when contacted by BleepingComputer earlier today.