Glovo, a promising $2 billion delivery startup in Spain that aims to rival delivery giant Amazon in Europe in the coming years, grabbed unwanted attention after a hacker infiltrated an old administration panel interface and accessed customer and courier accounts.
The breach was first discovered by Hold Security, whose CEO and founder Alex Holden told Forbes that a hacker was sharing screenshots and videos on the Dark Web to demonstrate that they had gained access to Glovo accounts. The hacker was purportedly selling access to Glovo’s customer and courier accounts, but it is not clear how many customers or delivery agents were affected by the breach.
Glovo is a fast-growing delivery service headquartered in Barcelona, boasting over 2,000 employees, over 57,000 active couriers, over 3.5 million active customers, and connects over 74,000 local shops and restaurants with customers in over 20 countries. The company was founded in 2015 and is best known for its mobile app-enabled food delivery services.
When contacted by Forbes, Glovo admitted to the cyber intrusion, stating that it was aware of the breach, that it had detected how the hacker infiltrated its systems, and that the unauthorised access was shut down soon after it was discovered.
“On April 29, we were made aware of unauthorized access by a malicious third party actor to one of our systems. The actor involved was able to gain access through an old administration panel interface. As soon as we discovered this suspicious activity, we took immediate steps to block further access by the unauthorized third party and put in place additional measures to secure our platform,” a spokesperson said.
“While we are currently investigating further, we can confirm that no customer card data was accessed, as we do not hold or store such information,” the spokesperson added, stating that the company had informed AEPD, Spain’s data protection authority, about the cyber security incident.
According to Holden, even though Glovo insists that the hacker no longer has access to its systems and that it did not find any evidence of data exfiltration, the hacker continues to try to sell access to the company’s customer accounts, courier accounts, and systems used to manage such accounts. While Glovo says that no financial information of customers was accessed, Holden believes couriers’ IBAN numbers and tax ID numbers were exposed.
Commenting on the breach suffered by Glovo, Natalie Page, a threat intelligence analyst at Talion, says that with no credit card data reportedly stolen, customers do not need to rush to cancel credit cards, but should continue to be vigilant for any suspicious transactions on their account in the future.
“The top priority now for the 10million Glovo users potentially affected, shall be to update their Glovo account password and subsequently update the password on accounts where their Glovo password has been duplicated. As this data continues to be sold on hacker forums, clients should also be observant of attackers utilising the details stolen for social engineering tactics and future phishing attempts.”
This is not the first time that the multinational food and grocery delivery startup has garnered attention because of a cyber security incident. In 2019, several media portals reported that a large number of customers reported unauthorised charges made to their accounts from Egypt. The hacker reportedly changed usernames as well as region and language settings aside from making purchases.
When contacted by Hipertextual, a Glovo spokesperson said the company was aware of the fraudulent charges and that it had recommended affected customers update their account information while it investigated the issue. The company also insisted that the credit card information of its users was not compromised.