Apparently, hackers were able to steal customer data as early as 2016. Now they ended up on the net. It’s about names, phone numbers, addresses and passwords.
The Foodora delivery service fell victim to a hacking attack in 2016. Personal data from around 480,000 customers was read out and is now published in a forum. The company confirmed the Süddeutsche Zeitung. 200,000 Germans were among those affected.
Already in mid-June there were reports that the data had appeared in a darknet forum. Troy Hunt, the operator of the data leak database “Have I been Pwned”, came across the collection there and then fed it into his platform. The website enables users to find out by entering their e-mail address whether these and possibly other personal details are at risk from a known data leak and are being abused on the Internet.
The data that could be read out by the accounts include, among other things, name, residential and e-mail address and the telephone number of the customers. Both Foodora and the service confirm this Have I Been Pwned on his Twitter account of the same name. However, with 583,000 people affected, this indicates a significantly higher number. The fact that the numbers in this and other reports differ from the information provided by Foodora may be due to the fact that individual users sometimes had multiple accounts.
According to Hunt, customers are primarily affected whose passwords were secured by the older, now unsafe, hash procedure MD5. With such methods, passwords are converted into a fixed-length character combination, which is then stored in the database instead of the password. The leak should now primarily affect users who had not been active on the platform for a long time before 2016. Foodora is now using a more secure form of password concealment. According to the company, passwords in plain text were not read out. Affected customers should change their passwords as a precaution, as shorter, disguised passwords can still be cracked quickly with modern computers.
Foodora is a subsidiary of the international ordering platform Delivery Hero, which is based in Berlin. The company writes on its website that according to the General Data Protection Regulation, the data protection authority was informed on the same day that the leak became known. Just last year, the Berlin data protection officer Maja Smoltczyk had imposed on Delivery Hero almost 200,000 euros, the highest fine that a company in Germany had to pay for data protection violations. Delivery Hero had violated customer deletion and objection rights in several cases.
According to Delivery Hero, the problem responsible for the leak has now been identified and resolved. In her opinion, the already leaked customer data could still be viewed in “underground forums” by users registered there. The operator was asked to delete the data there immediately.