[BreachExchange] Google-backed Dunzo suffers data breach

Destry Winant destry at riskbasedsecurity.com
Mon Jul 13 10:12:30 EDT 2020


https://www.techradar.com/news/google-backed-dunzo-suffers-data-breach

India's popular hyperlocal delivery platform Dunzo's database with
users’ phone numbers and email addresses was reportedly breached by an
unidentified attacker.

In a welcome proactive move, Dunzo CTO Mukund Jha himself made the
news of this attack public.

In a blogpost, Jha wrote: "Recently, our team identified a security
breach that involved unauthorized access to one of our databases.
While we are still investigating, we believe it is our responsibility
to inform you as soon as possible. We’ve always taken safety very
seriously and we’re sorry that this happened. Our team is doing
everything we can to ensure we make this right."

As soon as we became aware of the breach, we launched an internal
investigation to determine what happened, he added.

What the attacker accessed?

According to Dunzo, the servers of a third party that the company
works with were compromised. This allowed the attacker to get
unauthorized access and breach Dunzo's database.

This database did contain user phone numbers and email addresses. But
Dunzo says: "No payment information like credit card numbers was
compromised as we do not store this data on our servers."

In an email sent to customers notifying them of the breach, Dunzo has
not suggested to them to change passwords. Dunzo, in any case, uses
OTP-based login system on sign-up and hence doesn't use or store any
user passwords.

Though it is not clear how many customers could have been impacted by
the attack, Dunzo said that it has “addressed and resolved the issue
for all its users."

The company said it has secured all its database and data stores from
network and access standpoint. "Tightened infrastructure security and
closed all the vulnerable ports and reviewed all the third-party
plugins and integrations," it added.

The Google deal

The 5-year-old startup is a major player in hyperlocal delivery
service, and delivers groceries, perishables, pet supplies,
prescription drugs and food from restaurants. In the lockdown period,
its services were highly sought after in the cities it operates.

It is operational in Bengaluru, Delhi, Gurugram, Pune, Chennai,
Jaipur, Mumbai and Hyderabad.

Google had invested a minority stake in the venture in 2017, when it
led a $12 million investment round. Many analysts had said this was
Google's way entering the 'happening' Indian delivery space in a
low-key manner.

The tie-up allows Google to use Dunzo’s delivery services, while Dunzo
gets access to more than 67 million Indians who use Google’s Pay app.

Apart from Google, other investors who have chipped in Dunzo include:
Lightbox Ventures, STIC Investment, STIC Ventures and 3L Capital.


More information about the BreachExchange mailing list