A recent report has unveiled a major data breach at foodtech platform FreshMenu, impacting over 3.5 million users.
The exposed data includes detailed order information along with sensitive customer details such as phone numbers and delivery addresses, raising concerns about the privacy and security of the affected individuals.
According to findings by the Cybernews research team, FreshMenu, known for its food delivery services in Bengaluru, Mumbai, Gurugram, and Delhi, left its customer data vulnerable to unauthorized access.
The researchers stumbled upon a 26GB MongoDB database that lacked password protection, making it accessible to anyone. Within this database were records of over 3.5 million orders, exposing users’ order specifics as well as personal information, encompassing names, emails, phone numbers, billing and shipping addresses, and IP addresses.
Remarkably, the exposed database remained accessible for a relatively brief period, estimated at only 2-3 days. Despite the limited duration, the potential ramifications are substantial. The exposed data creates an opportunity for threat actors to engage in identity theft, execute phishing attacks, and launch targeted scams, as highlighted by the researchers.
“The comprehensive nature of the leaked information could enable malicious actors to exploit customer vulnerabilities, compromise privacy, and potentially perpetrate fraudulent activities,” noted the researchers, underscoring the severity of the situation.
This revelation comes in the wake of a recently uncovered cyber-espionage campaign dubbed ‘Operation RusticWeb.’ Targeting personnel within the Indian government, this sophisticated campaign employs Rust-based malware and encrypted PowerShell commands to clandestinely extract confidential documents. First detected in October 2023, ‘Operation RusticWeb’ has raised concerns about the broader landscape of cyber threats facing organizations and individuals alike.
