Cyber Incident Victim: Foodora
Date:
May 2020
Location:
Germany
Summary
A data breach at Foodora exposed personal information of 727,000 users across 14 countries, including names, addresses, phone numbers, precise geolocation data, and password hashes (primarily bcrypt with some MD5). Customer order notes containing sensitive instructions were also compromised. The breach involved historical data posted on a public forum, prompting an internal investigation by the parent company, which notified authorities but had not yet disclosed notification plans for affected individuals. The incident impacted both current and former markets, with potential GDPR implications due to European user involvement.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In June 2020, Delivery Hero confirmed a data breach impacting its Foodora brand, involving personal information from approximately 727,000 user accounts across 14 countries. The compromised data, originating from systems dating back to 2016, included names, addresses, phone numbers, hashed passwords, and precise latitude/longitude coordinates accurate to within inches. The breach was publicly disclosed when the data appeared on a prominent leak forum on May 19, 2020, with subsequent reposts across other platforms. Affected countries spanned United Arab Emirates, Singapore, Germany, Spain, France, Finland, Italy, Austria, Hong Kong, the Netherlands, Canada, Sweden, Norway, and Australia. Delivery Hero initiated an internal investigation upon discovery and notified relevant authorities but did not publicly confirm the exact number of compromised accounts or specify timelines for notifying affected individuals. The dataset comprised SQL files labeled "CustomerAddress" and "Customers," containing 600,000 unique email addresses according to independent analysis. No financial information was exposed in the breach.
Technical examination revealed most passwords were secured with bcrypt hashing at a work factor of 11, indicating relatively strong protection, though some credentials used outdated salted MD5 hashes vulnerable to rapid cracking. The leaked location data included delivery notes containing potentially sensitive personal information, such as specific delivery instructions and non-residential addresses that could imply undisclosed relationships. Operational complications arose from Delivery Hero having discontinued Foodora services in several affected jurisdictions prior to the breach—including France, the Netherlands, and Australia in 2018, Canada in May 2020, and Germany through a 2019 sale to Takeaway. The exposure of precise geolocation data and personal details created risks of targeted harassment, physical security threats, and reputational damage to users. GDPR compliance implications emerged for European operations, where regulators could impose fines up to 4% of global revenue for security failures. Independent cybersecurity experts verified the data's authenticity and noted the prolonged circulation of breached information before organizational awareness.