Foodmandu Hacked: Security breach exposed 50K user data

Foodmandu has suffered a security breach with over 50K user records stolen from the food delivery company’s database. The stolen information has an email addresses, personal phone numbers, longitude/latitude (Geo Points), names, location of customers on the night of Saturday on March 7th, 2020.

 

According to Mr.Mugger, “The hacked data consists of 150K user’s personal details.”

According to Twitter handle, a user by the name of “mr_mugger” claimed to have hacked Foodmandu and exposed the data on Github creating Repository called Foodmandu and committed a git of 50K and later on committed 10563 users data. (The data may have appended to the previously exposed data.)

Foodmandu Hacked

The company got to know about the issue just one hour after the attack and started to fix the issue and started their inquiry to fix the loss. The company is however in contact with the Cyber Crime Division of Government of Nepal which is helping them to control the overall situation.

This is one kind of extensive data breach in Nepal. The data exposed the associated user information including the Founder of Foodmandu (Manohar Adhikari) itself, users from companies like Ncell, Nepal Telecom, Chaudhary Group, Banks, ISP’s also some government officials user personal information.

We assume that Foodmandu web application had some server-side security vulnerability (loophole), the attacker targeted internal systems that are behind firewalls and are not accessible from the external network using an attack called SSRF. A common example is when an attacker can master the third-party service URL to which the web application makes a request.

Meanwhile, you can change your password of the Foodmandu app through their web application or the mobile phone app.

WAYS TO CREATE STRONG PASSWORD:

  1. Do Not Use Personal Information
  2. Do Not Use Real Words
  3. Mix Different Character Types
  4. Use A Passphrase
  5. Change your password frequently

However, the customer needs not to panic, as the loss did not affect the present commercial act. The company asked for support from their customer and said to keep calm and have patience. Hope the Foodmandu resolve all its issue and continue their delivery like previously.

UPDATE:

Second statement on Cyber Incident by Foodmandu