Food Delivery Service Chowbus hacked, more than 400K customer impacted

The popular Asian food delivery platform Chowbus has been hacked, attackers stole customer data and emailed victims as proof of the attack.

Hackers have stolen customer data from the food delivery platform Chowbus and emailed victims to inform them of the data breach.

The service is currently available in Australia, Canada and the United States, it has several hundreds of thousands of customers.

Several customers revealed on social media to have received the emails, some of them also shared the messages on Reddit.

The hackers claim to have stolen the entire database of the company containing customers data, the attackers have exported them in a series of comma-separated values (CSV) files and sent to the customers the link to these archives.

The exposed data includes customer names, email addresses, phone numbers, addresses (city, state, zip code), rates, and addresses for the Chowbus partner restaurants.

Experts who analyzed the leaked into conformed that the CSV file for restaurants contains 4,300 records, while the customer CSV files for include 803,350 records.

Chowbus customers that want to check if their data have been exposed could query the data breach notification website Have I Been Pwned, which have already loaded the data from the incident in its platform. According to HIBP the overall database included data related to a total of 444,224 Chowbus accounts.

At the time of writing this post, the link to the stolen customer data was no longer working, Chowbus also started notifying customers.

The company confirmed to be aware of the data breach and told to one user that its security team has quickly addressed the issue and implemented the measures to secure its systems.

The food delivery firm added that financial data, such as credit card information, have not be exposed because the platform does not manage it in its systems. Chowbus added that credit card information and transactiona are processed through Stripe, a secure 3rd party payment processor.

Chowbus did not disclose technical details of the incident, but it is still investigating the incident and plans to share additional information in the coming days.

“We became aware of the situation at approximately 1:30 a.m. CDT on October 5 and are working diligently to address the matter. We take our responsibility for privacy and security seriously, and we are working to discover additional facts. We expect to provide additional information to our community in the coming days,” reads a statement from the company sent to SecurityWeek.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Chowbus)

[adrotate banner=”5″]

[adrotate banner=”13″]