Cyber Incident Victim: Delivery Hero
Date:
May 2020
Location:
Germany
Summary
Delivery Hero confirmed a data breach impacting its Foodora brand, exposing personal information of approximately 727,000 accounts across 14 countries. Compromised data included names, addresses, phone numbers, highly precise geolocation coordinates, and order-related notes, with no financial details affected. The leaked information, featuring passwords primarily hashed using strong bcrypt encryption alongside weaker salted MD5 in some cases, appeared on a public forum and circulated widely. Historical customer records were involved, complicating response efforts due to the brand's prior market exits in several affected regions. The company initiated an internal investigation, notified relevant authorities, and collaborated with security teams to determine the breach's cause, though it had not yet finalized the scope of impacted individuals or communicated directly with affected users at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 15, 2020, Delivery Hero confirmed a data breach affecting its Foodora brand, involving personal information from 727,000 accounts across 14 countries. The compromised data, originating from systems dating back to 2016, was posted on a public forum on May 19, 2020, and subsequently redistributed elsewhere. Exposed records included full names, physical addresses, phone numbers, hashed passwords, and latitude/longitude coordinates accurate to within inches. The dataset comprised SQL files labeled "CustomerAddress" and "Customers" segmented by country, with 600,000 unique email addresses identified. Affected nations included United Arab Emirates, Singapore, Germany, Spain, France, Finland, Italy, Austria, Hong Kong, the Netherlands, Canada, Sweden, Norway, and Australia. The Australian subset alone contained approximately 79,000 records spanning August 2015 to April 2016. While most passwords were secured with bcrypt hashing at a work factor of 11—a computationally intensive standard—some used weaker salted MD5 hashing. No financial information was exposed. Additional compromised data fields contained customer order notes and delivery location details, creating potential privacy risks through precise movement tracking or revelation of non-residential delivery addresses.
Delivery Hero initiated an internal investigation upon discovery and notified relevant authorities but did not publicly confirm the total affected accounts or commit to individual victim notifications. The breach's operational complexity stemmed from Foodora's market exits prior to disclosure, including closures in Canada (May 2020), France, Netherlands, Australia (2018), and the sale of German operations to Takeaway in early 2019. GDPR compliance obligations applied to European user data, exposing the company to potential fines of up to 4% of global annual revenue. Security researcher Troy Hunt verified the dataset's authenticity, noting its prolonged underground circulation before organizational awareness. The coordinate precision enabled identification of specific delivery locations like individual apartments, while order notes revealed personally identifiable instructions. Hunt incorporated the email addresses into his Have I Been Pwned notification service. The incident's impact persisted through residual data exposure risks, particularly for discontinued market users unaware of the breach due to Foodora's operational cessation in their regions.