Breach Notification , Incident & Breach Response , Security Operations

Delivery Hero Confirms Foodora Data Breach

Personal Details on 727,000 Accounts in 14 Countries Leaked
Delivery Hero Confirms Foodora Data Breach
A Foodora delivery rider. (Photo: Marco Verch via Flickr/CC)

Delivery Hero, the online food delivery service, has confirmed a data breach of its Foodora brand.

See Also: Indicators of Compromise and Why It Takes Six-Plus Months to ID a Breach

Breached information from 14 countries includes personal details for 727,000 accounts - names, addresses, phone numbers and hashed passwords. It also contains latitude and longitude coordinates to six decimal points, which is accurate to within just a few inches. No financial data was leaked.

The data was posted May 19 on a well-known forum for leaking stolen data and also has been reposted online elsewhere.

"Unfortunately, we can confirm that a data breach has been identified concerning personal data dating back to 2016," Delivery Hero says. "The data originates from some countries across our current and previous markets."

Delivery Hero, which is based in Berlin, says it has "started a thorough internal investigation and has informed all relevant authorities. We are working closely with our security and data protection teams, as well as local authorities, to identify what caused the breach and inform the affected parties."

The company did not confirm the number of accounts affected, saying "we are still in the process of investigation." The company did not say when or if it planned to inform those affected.

14 Countries Affected

Someone who posted the data on the forum claims that Foodora was compromised last year.

The data appears to affect registered Foodora users in United Arab Emirates, Singapore, Germany, Spain, France, Finland, Italy, Austria, Hong Kong, the Netherlands, Canada, Sweden, Norway and Australia. In Singapore, Delivery Hero is the parent company of the Foodpanda online delivery service.

The data is a series of SQL files for each country, one labelled "CustomerAddress" and another "Customers."

The file directory for the Foodora data breach

The Australian data comprises around 79,000 records, says Troy Hunt, a data breach expert and creator of the Have I Been Pwned data breach notification service. The oldest Australian file dates from Aug. 25, 2015, and the latest one from April 22, 2016. Overall, the breach contains 600,000 unique email addresses, which Hunt plans to load into Have I Been Pwned.

Most of the passwords have been hashed with bcrypt with a work factor of 11, which is high, Hunt says. The work factor is the number of iterations of the hashing algorithm that are performed on a plain-text password. The higher the work factor, the more computationally intensive it is to crack, according to OWASP.

Generating random bcrypt hashes takes longer than creating hashes with other algorithms, such as MD5. But there are are some salted MD5 hashes in the Foodora data, Hunt says. MD5 hashes can be generated quickly, increasing the likelihood that a given hash can be linked to its original plain text. Many organizations moved away from using MD5 years ago for security reasons.

Location Data

Hunt says that data also includes notes that customers included with their orders, such as this amusing one: "Ring 4901 on intercom please. My good friend's over at suppertime. I believe your service is of exceptional quality and thank god that you are able to deliver food at under 30 minutes. This is your test run. Don't [expletive] up."

There's a potential for embarrassing location-based information to be revealed, Hunt says. For example, if someone paid for food delivered to an address that is not where the person lives, it could indicate a relationship.

The breach may be complicated for Delivery Hero to sort out because it has shut down Foodora operations in some of the affected countries over the last two years.

Delivery Hero shut down its Canadian Foodora operation in May. In 2018, it shut down Foodora in France, the Netherlands and Australia. Early last year, Delivery Hero sold its German operations, including Foodora, to the Dutch company Takeaway.

In Europe, Delivery Hero would be bound by the General Data Protection Regulation, which is the European Union's data protection law. Regulators there can impose fines of up to 4% of an organization's annual global revenue or €22 million, whichever is greater.

Those fines can be levied if a company violates the privacy rights of Europeans or fails to secure personal data (see: Big GDPR Fines in UK and Ireland: What's the Holdup?).

Hunt says several people alerted him to the Foodora breach over the last few weeks.

"It's amazing in this day and age to have data circulating between so many people and the organization not be aware of it," Hunt says.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.