Chowbus Delivery Service Breached, Hacker Emails Data To Users

A threat actor has hacked into the Chowbus food delivery service and emailed links to the stolen data to all customers.

Chowbus is a mobile-based Asian food delivery service that allows customers to order food from local restaurants in cities around the USA, Australia, and Canada.

At 1:33 a.m. yesterday, Chowbus customers began receiving mysterious emails titled “Chowbus data,” which simply stated, “Download Chowbus data here.” Included in the email were download links to both a user and restaurant database used by the food delivery service. 

According to numerous customers who received these emails, the links led to comma-separated values text files (CSV) that contained the exported databases for Chowbus.

The first CSV contained the names, phone numbers, commission rates, and addresses for 4,300 restaurants that works with the food delivery service.

The second database contained 803,350 Chowbus users’ information, including their email address, name, phone number, and address.

In an email to customers, Chowbus explained that they are investigating the hack, but none of the exposed data contained financial information or passwords.

“At approximately 1:30 a.m. CDT on October 5, Chowbus learned that some of our user data had been illegally accessed and made available online. As soon as we became aware of this incident, our security team quickly took steps to start addressing the issue.”

“The stolen data contained customer names, email addresses, phone numbers, and mailing addresses.”

Also Read: Going Beyond DPO Meaning: Ever Heard of Outsourced DPO?

“Thankfully, the data did not contain credit card information or Chowbus account passwords, and we are confident that this information is safe,” the Chowbus data breach notification stated.

BleepingComputer has contacted Chowbus with further questions but has not heard back yet.

Checking if you are in the Chowbus data breach

If you are a ChowBus customer, you can check if your information was exposed in the breach by using the Have I Been Pwned data breach notification site.

To do this, simply go to https://haveibeenpwned.com, enter your email address in the search field, and click on the ‘pwned?’ button.

The site will check its databases for your email address and list any data breaches that are being monitored for your information.

Also Read: How To Check Data Breach And How Can We Prevent It