- Food delivery app Chowbus emailed customer names, full addresses, and phone numbers to other users on Monday.
- Screenshots of an email posted to Reddit suggest the breach may have impacted hundreds of thousands of customers.
- The company, which delivers from Asian restaurants and stores in the US, Canada, and Australia, didn’t comment on how the breach occurred, but said data was “illegally accessed.”
- Credit card information and passwords were safe, it added.
- Visit Business Insider’s homepage for more stories.
Asian food delivery service Chowbus emailed customer data, including home addresses and phone numbers, to some of its users after a breach on Monday.
An email address registered with the company sent a link to files containing details of about 4,300 restaurants as well as information about hundreds of thousands of customers, screenshots posted to Reddit suggest. The files, sent Monday, appeared to include names, postal addresses, phone numbers, and more than 400,000 email addresses, according to data breach watchdog Have I Been Pwned.
At least some of the data related to test accounts, the Reddit screenshots suggest.
“Pretty sure it had everyone’s stuff,” one Reddit user posted. “The CSV file was like 69MB large and I had no problem finding my own stuff.”
It is not clear how many customers received the email, which had the subject line “Chowbus Data.”
Chowbus confirmed the breach in an email to customers sent Monday. Some user data “had been illegally accessed and made available online,” it said. The company didn’t comment on how the breach occurred, or how many customers were affected.
Customers’ credit card information was safe because transactions are processed by a third-party company, Stripe, Chowbus said on Twitter. The files didn’t contain customers’ passwords, it said.
“We are confident your credit card information is safe,” it said.
“As soon as we became aware of this incident, our security team quickly took steps to secure our systems, including our customers’ account information,” Chowbus said on Twitter, adding that the company had disabled links from the original email.
The hack only affected US users, Chowbus told Australian publication The RiotACT. But the site reported that Australian users were also included in the hack. The delivery service only launched operations in the country on September 30.
Business Insider has contacted Chowbus for comment.