Eatstreet, an online and mobile food ordering service, disclosed today a security breach that took place last month and during which a hacker stole the company's database, complete with customer and partner details.
ZDNet has learned that responsible for this breach is Gnosticplayers, a hacker who previously breached many other online services, including big names such as Canva, 500px, UnderArmor, ShareThis, GfyCat, Ge.tt, Evite, and others.
This reporter learned of the Eatstreet breach in conversations with the hacker during the process of verifying the Canva hack allegations last month.
At the time, the hacker only boasted about breaching EatStreet but did not provide any evidence of the hack.
Breach disclosed this week
Per EatStreet, the hacker breached its computer network on May 3 and proceeded to access and download information from its database, until May 17, when the company said it detected the intrusion and promptly terminated the hacker's access.
The hacker stole information on customers who used the EatStreet online or mobile service to order food from local restaurants to their homes.
The hacker also got hold of information EatStreet had on restaurants participating in its service, along with info on the third-party delivery services that the company had partnered with to deliver the food from restaurants to customers' homes.
Accessed information included names, phone numbers, email addresses, bank accounts, and routing numbers for restaurants and delivery services.
For customers who ordered food through the EatStreet app and website, information the hacker might have accessed or stolen included names, credit card numbers, expiration dates, card verification codes, billing addresses, email addresses, and phone numbers.
Hacker claims six million users impacted
The company did not say how many users were impacted by this security incident, but the company's website claims "EatStreet serves over 250 cities, connecting customers to more than 15,000 restaurants." On the Google Play Store, the EatStreet app is listed as having over 100,000 downloads.
In an email to ZDNet today, the hacker claimed he was in the possession of over six million user records he took from the company's servers. Over the past few months, this hacker has stolen and put up for sale 1,071 billion user credentials from 45 companies.
In its notification letter, EatStreet said it notified credit card payment processors of the hack "so that the card brands are [...] aware of the incident."
"In addition, we have enhanced the security of our systems, including reinforcing multi-factor authentication, rotating credential keys and reviewing and updating coding practices," EatStreet added.
Article updated with comments from Gnosticplayers about the breach's size.
More data breach coverage:
- Evite e-invite website admits security breach
- Cryptocurrency startup hacks itself before hacker gets a chance to steal users funds
- Massive Quest Diagnostics data breach impacts 12 million patients
- Equifax breach impacted the online ID verification process at many US govt agencies
- AMCA data breach has now gone over the 20 million mark
- CBP says hackers stole license plate and travelers' photos
- Facebook passwords by the hundreds of millions sat exposed in plain text CNET
- The largest cybersecurity breaches of the past three years TechRepublic