Cyber Incident Victim: Yemeksepeti

On March 25, 2021, Yemeksepeti, a prominent online food delivery platform operating in Turkey and Cyprus, publicly disclosed a cybersecurity incident affecting its systems. The company announced the breach on the morning of March 25, characterizing it as a cyberattack that compromised certain categories of user information. According to their translated statement, the attackers accessed personally identifiable information including full names, dates of birth, phone numbers registered with the service, and email addresses associated with user accounts. The breach also exposed physical address details stored within Yemeksepeti's systems and user account passwords, though the company emphasized these passwords were cryptographically protected using the SHA-256 hashing algorithm prior to exposure. Notably, Yemeksepeti confirmed that financial data such as credit card information remained unaffected by the intrusion, limiting the immediate financial fraud risks to customers.

Yemeksepeti issued its formal statement regarding the incident through the Turkish newspaper Hürriyet on March 27, 2021, two days after detecting the breach. The disclosure confirmed the exposure of multiple sensitive data elements that could facilitate identity theft, phishing campaigns, or credential-stuffing attacks against affected users. While the hashed password storage reduced immediate account compromise risks, the presence of weakly hashed credentials could still enable brute-force decryption attempts depending on password complexity. The company did not specify the attack vector, duration of unauthorized access, or total number of impacted accounts in its public announcement. No operational disruptions to food delivery services were reported in conjunction with the data breach. The incident highlighted vulnerabilities in protecting non-financial customer data within Turkey’s e-commerce sector.