US online grocery delivery platform leaks 11m user records

Weee!, a US-based online grocery delivery platform, had delivery data of 11 million customers leaked online. Some logs include door codes that couriers use to enter buildings.

The attacker uploaded a database with information on 11 million Weee! customers. The Cybernews research team confirmed that the leak appeared to be composed of data that didn’t appear in previous leaks.

The threat actor who posted the database claims that the database was stolen in February 2023. The attacker who posted the database appears to be the same person who leaked stolen data from mobile carrier US Cellular.

Weee leak
Threat actor announcing the leak. Image by Cybernews.

In the recent leak announcement, the attacker calls the victim “Sayweee.” However, ‘Sayweee’ is the name of the platform’s website. Weee! is an online grocery delivery platform specializing in Hispanic and Asian foods. The delivery platform operates throughout most of the United States and boasts its delivery app was downloaded over 2.6m times.

The threat actor claims the leaked database includes sensitive data, such as users’ first names, last names, emails, phone numbers, home addresses, delivery types, devices, and dates.

In essence, the database offers all information necessary to deliver groceries. For example, some of the logs include delivery notes that Weee! customers left for couriers, such as codes to enter residential or office buildings.

The company confirmed the breach to Cybernews on February 8, adding that no customer financial data was exposed.

The supposed leak includes personal identifiable information (PII) that hackers can abuse in numerous ways. Attackers can use the database to match first and last names with accurate email addresses, exposing user identities on other online services.

Exposed home addresses put users at a heightened risk of targeted scams, spear phishing campaigns, tracking, and unwanted contact. Meanwhile, leaked phone numbers could be used for marketing purposes, phishing, impersonation, and fraud.

In extreme cases, PII information could help attackers in attempts to commit identity fraud.

More from Cybernews:

Adversaries amass vast amounts of our data via commercial surveillance

Tinder rolls out Incognito Mode and blocking function

US Navy captain accused of using Facebook to humiliate civilian woman in cyberstalking campaign

Google unveils ChatGPT rival

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked