Food delivery services seem to be the new favorite of cybercriminals as attacks on these services have suddenly increased. In 2017, Hackread.com exclusively reported on the Zomato data breach in which a dark web hacker was selling 17 million customers’ accounts.
Recently a Germany-based food delivery service Takeaway.com was targeted with a DDoS attack and was asked to pay two bitcoins (USD 11,000) in ransom. Now another service Foodora has become the victim of a data breach.
Berlin-based Delivery Hero, the parent company of Foodora, has confirmed that Foodora become a target of a data breach leading to exposure of information of over 727,000 customers from 14 European countries including France, Spain, Finland, Italy, and Austria.
It is claimed that the data was compromised in 2019 and most of the exposed information is old, dating back to 2016. However, the company didn’t disclose the number of accounts affected by this breach.
According to data breach investigator Troy Hunt, the hacked data includes 79,000 Australian records from August 2015 to August 2016, and on the whole 600,000 unique email IDs have been exposed.
A majority of the passwords were hashed with bcrypt with 11 work factors, which will be difficult to decrypt given that their work factor is 11, but there are some salted MD5 hashes too, which can be cracked easily.
The hacked data includes details like usernames, full names, hashed Foodora service passwords, phone numbers, locations, and physical addresses. However, financial data including credit card details or payment information were not breached, but customers’ geolocation data was exposed.
Delivery Hero revealed that on May 19, the leaked customers’ data was posted on different hacking forums by unknown individuals.
The data was posted on a series of SQL files, each belonging to a particular country and the files were labeled as “Customers,” and “CustomersAddress.”
As it always happens in data breaches, Foodora customers affected in this breach are receiving suspicious emails from unidentified third-parties. Delivery Hero has started a thorough internal investigation to find out how the breach occurred and informed “relevant authorities” as well.
“We are working closely with our security and data protection teams, as well as local authorities, to identify what caused the breach and inform the affected parties,” the company noted.