US supermarket chain Wegmans suffers data breach due to ‘misconfigured’ databases

US supermarket chain Wegmans Food Markets has announced it has suffered a data breach after two databases were accessible online due to a “misconfiguration”.

The company, which is headquartered in New York, said that customer names, addresses, phone numbers, birth dates, Shoppers Club numbers, email addresses, and passwords for Wegmans.com accounts were included in these databases.

The account passwords were hashed and salted, said Wegmans, and social security numbers and financial information was not accessed.

Wegmans said the misconfiguration issue, which was reported to them by a security researcher, began “on or about April 19, 2021” and has now been rectified.

A press release reads: “Wegmans worked diligently with a leading forensics firm to investigate and determine the incident’s scope, identify the information in the two databases, ensure the integrity and security of the systems, and correct the issue.

“Wegmans also notified any customers who may have been affected by this issue.”

It is not yet clear how many people were impacted. The Daily Swig has reached out to Wegmans for further comment.

Credential stuffing attack

The incident comes just months after Wegmans customer accounts were potentially breached following a suspected credential stuffing attack.

A security advisory sent to customers in February this year revealed that information including names, phone numbers, addresses, dates of birth, and Wegmans Shoppers Club numbers may have been accessed.

Source: https://portswigger.net/daily-swig/us-supermarket-chain-wegmans-suffers-data-breach-due-to-misconfigured-databases