Earlier this month, we echoed that a cybercriminal had managed to access the internal systems of the Spanish delivery company Glovo, thus managing to get hold of private data both from the platform's clients and from its 'riders'.
The cybersecurity researcher who sounded the alarm, Alex Holden, claimed to have had access to screenshots and videos showing how the intrusion had taken place: exploiting a vulnerability in an old admin panel, which was patched shortly after by the company.
However, at that time the data was already for sale on the Dark Web, where a 180 GB file of data was offered accessible to any interested buyer.
Today, however, on the website Derecho de la Red they have published a screenshot of a website in which it is offered for sale a much larger file, almost 500 GB - presumably, now, the complete database -, along with samples of the data it contains.
Glovo notified the AEPD of the intrusion, but informed the media that the data on the cards had not been affected, an aspect that would now be in doubt
We already know what kind of personal data was leaked
This is the visible text, translated:
Hello, we are putting the complete Glovo database up for sale. […] It's 480GB unzipped, 60GB compressed.
The complete database includes the following sections: 'users', 'distributors', 'clients', 'orders', 'partners', 'stores'.
Then they put an example of the data included in the 'Users' section: identification number, full name, date of birth, email, telephone, password, address, city code, Credit card number, DNI number and bank account number.
The most shocking thing about this new batch of private data lies in the fact that it seems to point to card numbers were included in the original leak Glovo users' banking information, information to which the company denied a few weeks ago that the 'hacker' could have accessed.
From Genbeta we have contacted Glovo about it and we will update when we have more information.
Via | Network Law
Image | Original by Angel Ganev via Flickr