Glovo has acknowledged the leak of this data, although it wanted to reassure customers and employees by explaining that it would not be a new hack, but a new sale of its hacked database in April 2021.
For sale on the Dark Web
The worst part is taken by Glovo’s own employees, or those who operate for the Spanish start-up as self-employed. The data on distributors that appear in this database includes the full name of the distributors, as well as their DNIs, telephone numbers, emails, bank account numbers, addresses where they reside, types of contract and even the type of transport they use to carry orders from one place to another.
Obviously, this data should not have passed beyond the human rights department, but it will end up in the wrong hands if someone buys said database on the Dark Web.
This dataset includes 5,790,563 costumers, 21,379 employees, 37,509 couriers and 3,854 mc donald incident report records.
— Daily Dark Web (@DailyDarkWeb) August 2, 2022
The database includes information on 5,790,563 customer orders, with information about your descriptions, your customer, the delivery person or your delivery time. In this section there does not seem to be as much sensitive information on this occasion, but if the data refers to that of 2021, then they were sold considering that they included all kinds of information recorded by customers, such as:
- Full name
- Date of Birth
- Password encrypted with SHA256
- Phone number
- Physical address
- Postal Code
- Credit card, expiration date and CVC
- IBAN of the bank account
2021 hack data
Glovo has acknowledged that this leak is real, but wanted to clarify that it corresponds to the cyberattack it suffered last year and that we told you about in ADSLZone, when an attacker gained privileged and unauthorized access to one of the systems due to an old administration panel. According to the company, it would only be a reappearance of these same data.
The person who is offering this database on the dark web has not put any price, but has an encrypted ProtonMail email address for them to contact offers. Ensures to be a unique database: “Important: This is an exclusive database. I’m going to sell it once”.
“After the discovery of the breach in April 2021, all access to information was blocked. Although the attacker managed to access details such as IBAN for a small period of time, no data related to credit and debit cards was exposed as we do not store such information and passwords are encrypted.”explains the company.
“At Glovo we take security very seriously. The investigation into this matter concluded in 2021 and was accompanied by a full audit into the integrity of our systems. We also contacted the Spanish Agency for Data Protection and offered them all the information they required for their investigation.