Bengaluru-based FreshMenu exposes data of 3.5 mn users: Report

FreshMenu, a food delivery service platform based in Bengaluru, has reportedly exposed more than 3.5 million order details, including sensitive customer information such as phone numbers, emails, names, billing and shipping addresses, and IP addresses.

The leak was discovered by the Cybernews research team on Thursday, who found that a 26 GB MongoDB database containing the data was not password protected, leaving it vulnerable to public exposure.

On December 14 last year, Cybernews researchers notified FreshMenu about the data leak but received no response. However, the database has since been secured. Despite multiple queries from the researchers, FreshMenu did not provide any comments or acknowledgement.

The exposed data poses a significant risk, as it could be used by threat actors for identity theft, phishing attacks, and targeted scams. The leaked information is comprehensive enough to exploit customer vulnerabilities, compromise privacy, and potentially facilitate fraudulent activities.

Although the database was not exposed for an extended period, threat actors can quickly exploit open sets of data using automation. Therefore, companies must ensure that sensitive information is always protected from public access. It is worth noting that India has experienced several major data breaches in recent times, including a data breach on the RailYatri train ticketing platform in 2023, which was initially denied by the Railway Ministry.

Last year, an alleged leak in the CoWIN portal was reported, when a bot on the messaging platform Telegram was returning the personal data of Indian citizens. The data reportedly contained details including names, Aadhaar and passport numbers of individuals who registered with the Covid-19 vaccine network for vaccination purposes.

More recently, Taj Hotels, owned by the Tata Group, reportedly fell victim to a significant data breach which allegedly exposed personal information of 1.5 Mn customers. According to experts, the surge in cyber-attacks on Indian enterprises are driven by reliance on third-party platforms, interconnected ecosystems, lack of security hygiene, among others.

India was the 10th most breached country globally in Q3 2023, with 369,000 leaked accounts, according to a cybersecurity report by Surfshark. It remained one of the most breached countries in the world for the third quarter in a row in 2023, despite a decrease in the number of leaked accounts. India got the third position in Asia for the number of leaked accounts in the third quarter, it said.

A report by the Data Security Council of India (DSCI), released on December 20, revealed that India faced over 400 million cyber threats across 8.5 million endpoints in 2023, averaging 761 detections per minute. Technological advances, particularly in artificial intelligence, emerged as significant threats, posing the most substantial risks to Indian organisations.