GonnaOrder data leak — Image by Cybernews.

GonnaOrder, a Europe-based food delivery platform, left an unprotected instance, exposing food lovers’ data to anyone willing to look.

A misconfigured Kafka Broker instance exposed real-time order information, researchers discovered.
The team believes that the leaky instance has been open since August 2022.
Attackers can set up a “collector” to “scrape” the leaking instance over long timeframes.

Fighting food cravings can benefit more than your waistline. The Cybernews research team recently discovered that the food delivery app GonnaOrder was leaking thousands of people's personal details.

The main cause behind the leak – a misconfigured Kafka Broker instance – exposed real-time order information. While the team monitored the leak for only one hour, over two thousand unique customers had their details exposed.

Worryingly, the team believes that the leaky instance has been open since August 2022, due to how it was indexed on an IoT search engine.

After researchers repeatedly attempted to contact the company, GonnaOrder finally closed the instance in late May 2025.

“We are in the process of performing a post-mortem analysis. The preliminary analysis report shows that no critical or sensitive data has been accessed/modified. Once the final report is ready, we will further update all stakeholders,”
the company said.

The company told Cybernews, it acted “swiftly on the notification from the researchers,” promptly fixing the issue.

“We are in the process of performing a post-mortem analysis. The preliminary analysis report shows that no critical or sensitive data has been accessed/modified. Once the final report is ready, we will further update all stakeholders,” the company's representative said.

What details did the GonnaOrder data leak expose?

According to the team, the leaking Kafka Broker instance revealed numerous order details, affecting the customers of restaurants, bars, hotels, and small shops in multiple European countries.

Most of the affected customers were located in the UK, Belgium, Greece, Germany, and the Netherlands.

Moreover, Kafka is a real-time platform designed to facilitate the transfer of data between multiple systems. It is not meant for long-term storage and doesn’t store large amounts of data. However, attackers can set up a “collector” to “scrape” the leaking instance over long timeframes, allowing attackers to extract large amounts of data over time.

Stay informed and get our latest stories on Google News

“Throughout the whole time the exposed instance was open, malicious actors could have obtained millions of customers’ data, including names, phone numbers, home addresses, as well as order details, which can often contain private info such as access codes to enter the building,” the team said.

Overall, the team estimates the following details were exposed:

Customer orders
Restaurants and hotels where orders were made
Customer phone numbers
Email addresses
Home addresses
Delivery notes
Payment methods used

There are numerous ways threat actors can utilize this type of data. One of the most common purposes stolen details are utilized for is identity theft. Attackers could also try to sell the data on the dark web to parties interested in using potentially revealed access codes for physical crime, such as burglary.

Leak discovered: March 26th, 2025
Initial disclosure: April 2nd, 2025
CERT contacted: April 9th, 2025
Leak closed: May 27th, 2025

Updated on June 12th [02:15 p.m. GMT] with a statement from the company's representative.