EatStreet food ordering service discloses security breach

Hacker "Gnosticplayers" took credit for the hack in a private conversation with ZDNet last month.

EatStreet

Eatstreet, an online and mobile food ordering service, disclosed today a security breach that took place last month and during which a hacker stole the company's database, complete with customer and partner details.

ZDNet has learned that responsible for this breach is Gnosticplayers, a hacker who previously breached many other online services, including big names such as Canva, 500px, UnderArmor, ShareThis, GfyCat, Ge.tt, Evite, and others.

This reporter learned of the Eatstreet breach in conversations with the hacker during the process of verifying the Canva hack allegations last month.

At the time, the hacker only boasted about breaching EatStreet but did not provide any evidence of the hack.

Breach disclosed this week

However, in a series of data breach notification letters the company sent to end customers, delivery services, and restaurant partners, the company admitted to getting hacked.

Per EatStreet, the hacker breached its computer network on May 3 and proceeded to access and download information from its database, until May 17, when the company said it detected the intrusion and promptly terminated the hacker's access.

The hacker stole information on customers who used the EatStreet online or mobile service to order food from local restaurants to their homes.

The hacker also got hold of information EatStreet had on restaurants participating in its service, along with info on the third-party delivery services that the company had partnered with to deliver the food from restaurants to customers' homes.

Accessed information included names, phone numbers, email addresses, bank accounts, and routing numbers for restaurants and delivery services.

For customers who ordered food through the EatStreet app and website, information the hacker might have accessed or stolen included names, credit card numbers, expiration dates, card verification codes, billing addresses, email addresses, and phone numbers.

Hacker claims six million users impacted

The company did not say how many users were impacted by this security incident, but the company's website claims "EatStreet serves over 250 cities, connecting customers to more than 15,000 restaurants." On the Google Play Store, the EatStreet app is listed as having over 100,000 downloads.

In an email to ZDNet today, the hacker claimed he was in the possession of over six million user records he took from the company's servers. Over the past few months, this hacker has stolen and put up for sale 1,071 billion user credentials from 45 companies.

In its notification letter, EatStreet said it notified credit card payment processors of the hack "so that the card brands are [...] aware of the incident."

"In addition, we have enhanced the security of our systems, including reinforcing multi-factor authentication, rotating credential keys and reviewing and updating coding practices," EatStreet added.

Article updated with comments from Gnosticplayers about the breach's size.

More data breach coverage: