Apparently, hackers were already able to steal data from 480,000 customers in 2016. Now they ended up on the net. It’s about names, phone numbers, addresses and passwords.
The Foodora delivery service fell victim to a hacking attack in 2016. Personal data from around 480,000 customers was read out and is now published in a forum. The company confirmed the Süddeutsche Zeitung. 200,000 Germans are among those affected.
There were already reports in mid-June, after which the data appeared in a darknet forum. Troy Hunt, the operator of the data leak database “Have I been Pwned”, came across the collection there and had it then on his platform fed. The website enables users to find out by entering their email address whether these and possibly other personal details are at risk from a known data leak and are being abused on the Internet.
The data that could be read out from the accounts include, among other things, name, residential and e-mail address and the customer’s telephone number. Both Foodora and the service confirm this Have I Been Pwned on his Twitter account of the same name. However, this indicates a significantly higher number with 583,000 affected. The fact that the numbers in this and other reports differ from the information provided by Foodora may be due to the fact that individual users sometimes had multiple accounts.
According to Hunt, customers are most affected, whose passwords were secured by the older and now unsafe hash procedure MD5. This should particularly affect users who had not been active on the platform for a long time before 2016. Foodora is now using a more secure form of password encryption. According to the company, plain text passwords were not read out. Affected customers should change their passwords as a precaution, as shorter encrypted passwords can be cracked quickly with modern computers.
Foodora is a subsidiary of the international ordering platform Delivery Hero, which is based in Berlin. The company writes on its homepageAccording to the General Data Protection Regulation, the data protection authority was informed on the same day that the leak became known. Just last year, the Berlin data protection officer Maja Smoltczyk had this against Delivery Hero with almost 200,000 euros highest fines imposed to datethat a company in Germany had to pay for data protection violations. Delivery Hero had violated customer deletion and objection rights in several cases.
According to Delivery Hero, the problem responsible for the leak has now been identified and resolved. In her opinion, the already leaked customer data could still be viewed in “underground forums” by users registered there. The operator was asked to delete the data there immediately.