In total, hackers managed to steal 11.3 million order details, including 1.1 million email addresses belonging to Weee! customers.
A data breach affecting the US-based online grocery delivery platform, Weee!, has resulted in 1.1 million customers’ data being leaked online. On Monday, a threat actor named IntelBroker posted the database on BreachForums.
It is worth noting that BreachForums is a hacker and cybercrime forum that surfaced as an alternative to the popular and now-seized Raidforums.
“Weee!” is particularly popular amongst Asian and Hispanic communities, delivering food across 48 states in the USA via warehouses spread throughout the country. Its delivery app has been downloaded over 2.6M times.
The breach forum post reads, “In February 2023, a database of 11 million customers belonging to Sayweee was stolen by hackers.”
However, security researcher Troy Hunt of Have I Been Pwned, a data breach notification service, confirmed that the leaked data only includes 1.1 million unique email addresses. The additional entries are likely due to multiple orders placed by the same customer.
The leak contains information such as Weee! customers’ first and last names, email addresses, phone numbers, device type (iOS, PC, Android), order notes, dates, and other data the delivery platform uses.
Some of the logs also included delivery notes that customers of Weee! left for couriers, such as codes to enter residential or office buildings.
The company’s spokesperson stated that “Weee! is aware that a data breach has affected some of its customers.” They also confirmed that the breach did not impact user financial data, as the online grocery delivery platform does not retain any payment details.
“For customers that placed an order between July 12, 2021, and July 12, 2022, information such as name, address, email addresses, phone number, order number, and order comments may have been impacted,” the company’s representative said.
“We have notified all customers of the issue and will be notifying all impacted customers individually if their information was exposed,” Weee!’s spokesperson explained.
“Security is a top priority for us and we are undertaking a thorough review to ensure we continue to deliver on the trust the Weee! Community places in us.”
The personally identifiable information (PII) in the leak can be abused by hackers in numerous ways. Exposed home addresses put users at a heightened risk of targeted scams and spear phishing campaigns, tracking, and unwanted contact.
On the other hand, leaked phone numbers could be used for marketing purposes, phishing, impersonation, and fraud. In extreme cases, PII information could be used by attackers to attempt identity fraud.