3.5M users' dinner habits exposed in data leak

FreshMenu, a popular food delivery service, has exposed over 3.5 million order details along with sensitive customer information, including phone numbers and food delivery addresses.

FreshMenu, which delivers food to Bangalore, Mumbai, Gurgaon, and Delhi, has exposed its customer data to the public, recent research by the Cybernews research team has revealed.

Researchers stumbled upon a 26GB-strong MongoDB database that wasn’t secured with a password, meaning that anyone could potentially access it. The database contained over 3.5 million orders.

While users might not really care if threat actors find out what they’ve ordered, unfortunately, the company also exposed customer data along with their orders, including:

  • Names
  • Emails
  • Phone numbers
  • Billing and shipping addresses
  • IP addresses

As per our researchers, the database wasn’t exposed for long – only around 2-3 days. However, it takes mere seconds for threat actors to dump discovered open sets of data using automation, and companies need to make sure that sensitive information is always hidden from the public eye.

We sent out a responsible disclosure to the company on December 14th. We received no reply, but the database was secured. We’ve also reached out to FreshMenu for an on-the-record comment but received no response before going to press.

“The exposed data provides threat actors with the potential to engage in identity theft, phishing attacks, and targeted scams. The comprehensive nature of the leaked information could enable malicious actors to exploit customer vulnerabilities, compromise privacy, and potentially perpetrate fraudulent activities,” Cybernews researchers noted.

Fresh Menu data leak proof