Chicago-based Asian food delivery service Chowbus has suffered a data breach with more than 800,000 customer records and 444,000 unique email address exposed.
According to the Chicago Tribune, reports from customers on Twitter said they began receiving emails yesterday labeled “Chowbus data” that contained links where they could download company databases containing contact information for restaurants and customers.
A Reddit thread said the files are in .cvs format, and contain 4,300 critical business/personal information entries in the restaurant file, while the “users” file has 803,350 files. Both contain names and contact information.
While Chowbus has not confirmed how many customers were affected or how the breach happened, company founder and CEO Linxin Wen sent an email to customers confirming it learned about the data breach on Monday morning, and said credit card information and account passwords were not stolen.
A statement posted on the Reddit thread, said: “Thank you for bringing this to our attention. As soon as we became aware of this incident, our security team quickly took steps to secure our systems, including our customers’ account information. The link from the email is already disabled. Your credit card information does not exist in our systems. Any credit card information and transaction is processed by Stripe, a secure 3rd party payment processor. We are confident your credit card information is safe.”
Paul Edon, senior director, technical sales and services (EMEA) at Tripwire, said this type of attack is unusual and appears to have been aimed at undermining the reputation of Chowbus. “Based on the way in which data was released, there is a high probability that this was the work of a disgruntled employee or ex-employee,” he said “Anyone with a Chowbus account should immediately change their account password and if possible, implement two-factor authentication.”