Data leak at Thermomix: data from 1 million German users on the darknet

There was a data leak at Vorwerk, as the provider of household appliances announced. The breach affected the Thermomix manufacturer's forum "rezeptwelt.de" and led to unknown persons being able to capture masses of user data. The data is for sale on the darknet. All those affected have been informed and the breach has been closed. Nevertheless, Vorwerk Rezeptwelt members are advised to be careful: further attacks are imminent.

Millions of member data have been stolen from the Thermomix recipe forum and are now for sale on the Darknet. The data set contains the personal data of over three million Rezeptwelt members, including email addresses, telephone numbers, addresses and cooking skills. According to Vorwerk's statement, the breach only lasted three days – from January 30 to February 3, 2025, and the access did not take place on Vorwerk's own servers, but at an external service provider.

In addition to a good million German victims, between three and four hundred thousand English-, Spanish-, French-, Italian- and Polish-speaking users as well as a good 150,000 Portuguese-speaking users are affected. The Rezeptwelt forum is aimed at a global user base – including Thermomix users from Australia and the Czech Republic.

Only forum affected

Vorwerk reacted immediately after the incident and was able to contain it quickly. In cooperation with security experts and data protection specialists, the company was able to rule out the possibility that other systems or the online store were affected. The company urges caution: criminals could now use the stolen data to launch credible phishing attacks against Rezeptwelt members. Vorwerk has informed the supervisory authorities as well as all affected users.

However, the specific security gap is still unclear. According to the author, some indications in the test data set suggest that the attackers penetrated a staging system with user privileges and extracted data from there, for example via an open API. The fact that the data records do not contain any password hashes speaks against access to the forum database or even a server break-in. As these would significantly increase the sales value, it seems unlikely that the attacker(s) would retain them. We have asked Vorwerk to comment on the nature of the attack and will update this message if necessary.

Check for "Have I been pwned"

The attacker or attackers are offering the data for sale in a relevant darknet forum for 1,500 US dollars, but are willing to negotiate the price. Presumably mainly because the crown jewels of a data leak – hashed or plaintext passwords – are not part of the offer. As is usual for such offers, a few demo data sets are available, which look authentic at first glance.

The data has also landed at "Have I been pwned" (HIBP) in the meantime. On the website, internet users can use their email address to check whether they have been affected by data leaks – including members of Rezeptewelt. As the operators of HIBP write in a note, a source called "ayame" provided them with the data records. This pseudonym was also used by the forum user who offered the data for sale on the darknet. The description of the data set deposited with HIBP also matches the darknet posting of the thief. As the operators of HIBP randomly check whether the data records provided to them are genuine, it is likely to be real Rezeptwelt user data.

Explosive data leaks have occurred on a massive scale recently. In the last week of January and the first week of February 2025 alone, we reported on security problems at rehab clinics and legaltechs; those involved even speak of a "habituation effect" that makes them blunt. The 127th episode of the heise data protection podcast "Auslegungssache" also deals with data leaks and how they are handled by companies and supervisory authorities.

(cku)