Cyberattack exposes personal details of thousands of Foodmandu users
March 9, 2020 10:45 AM NPT
KATHMANDU, March 9: Personal information of more than 50,000 users of Foodmandu, a popular food delivery online service, has been publicly exposed following a cyber attack by a hacker.
The hacker released data –including names, addresses and mobile phone number of Foodmandu users – on a website.
Releasing a statement on Sunday, Foodmandu said it fixed the loophole in its web application immediately after incident identification.
“We fixed the loophole in our web application immediately after the incident identification last night itself and our team is investigating any further issues proactively. We are committed to protecting all forms of customer data,” read the statement issued by the company's CEO Nidhaan Shrestha.
Foodmandu currently delivers food from 500 plus restaurants across three cities of the Kathmandu Valley through a pool of 200 riders. The company also delivers fresh vegetables, beverages and cakes to its patrons from farmers' markets, traders and leading hotels.
The company, however, did not make it clear about the loophole that the hacker exploited to gain access to the user accounts and take control of them. The release of the personal records of users has also highlighted the security vulnerability and lack of tighter control of the company in protecting its users' personal information.
Foodmandu's CEO Shrestha also said that, the company is in contact with Cyber Crime Division for the further investigation into the data breach. The company has claimed that there is no impact on its commercial operations. The motivation of the hacker also remains unclear.
A twitter handle (@mr_mugger), which released the personal records through a tweet post, accused the company of neglecting the security vulnerabilities.
“Foodmandu 50K User Details Dump. So here it is, imma [I am going to] be real I am tired of how they neglect the security vulns [vulnerabilities]. The Database consists of more than 150K User's Personal Details, Latitude-Longitude, Address, and email. However, the demo is filtered,” read the tweet.
Following the release of the personal information online, some users have also raised concerns over the compromise of their account and password. However, representatives deny such possibility.
“It's the attack on the web application through security vulnerability. We have closed that loophole. However, our server and database are safe so far. Passwords of the users have not been leaked,” Manohar Adhikari, a founder at Foodmandu, told Republica.
The company also said that it has sent take down request to relevant authorities where the data has been uploaded.