India’s popular hyperlocal delivery platform Dunzo’s database with users’ phone numbers and email addresses was reportedly breached by an unidentified attacker.
In a welcome proactive move, Dunzo CTO Mukund Jha himself made the news of this attack public.
In a blogpost, Jha wrote: “Recently, our team identified a security breach that involved unauthorized access to one of our databases. While we are still investigating, we believe it is our responsibility to inform you as soon as possible. We’ve always taken safety very seriously and we’re sorry that this happened. Our team is doing everything we can to ensure we make this right.”
As soon as we became aware of the breach, we launched an internal investigation to determine what happened, he added.
What the attacker accessed?
According to Dunzo, the servers of a third party that the company works with were compromised. This allowed the attacker to get unauthorized access and breach Dunzo’s database.
This database did contain user phone numbers and email addresses. But Dunzo says: “No payment information like credit card numbers was compromised as we do not store this data on our servers.”
In an email sent to customers notifying them of the breach, Dunzo has not suggested to them to change passwords. Dunzo, in any case, uses OTP-based login system on sign-up and hence doesn’t use or store any user passwords.
Though it is not clear how many customers could have been impacted by the attack, Dunzo said that it has “addressed and resolved the issue for all its users.”
The company said it has secured all its database and data stores from network and access standpoint. “Tightened infrastructure security and closed all the vulnerable ports and reviewed all the third-party plugins and integrations,” it added.
The Google deal
The 5-year-old startup is a major player in hyperlocal delivery service, and delivers groceries, perishables, pet supplies, prescription drugs and food from restaurants. In the lockdown period, its services were highly sought after in the cities it operates.
It is operational in Bengaluru, Delhi, Gurugram, Pune, Chennai, Jaipur, Mumbai and Hyderabad.
Google had invested a minority stake in the venture in 2017, when it led a $12 million investment round. Many analysts had said this was Google’s way entering the ‘happening’ Indian delivery space in a low-key manner.
The tie-up allows Google to use Dunzo’s delivery services, while Dunzo gets access to more than 67 million Indians who use Google’s Pay app.
Apart from Google, other investors who have chipped in Dunzo include: Lightbox Ventures, STIC Investment, STIC Ventures and 3L Capital.