Explained: Data Breach At Hyper-Local Delivery App Dunzo

Hyper-local delivery and concierge service startup Dunzo suffered a breach in its database containing phone numbers and emails of users, CEO Mukund Jha announced on Saturday. According to the announcement, the breach occurred in a third-party server, giving unauthorised access to the attacker.

It also mentioned that extremely sensitive information like credit card details were kept safe from this breach as they were not stored in the servers. However, Dunzo is yet to provide the name of the third-party who suffered the breach, and the number of users who have been affected by this attack.

What Is Dunzo?

Founded in 2014, Dunzo started off as a Bengaluru-based WhatsApp group, and then eventually developed into a hyperlocal app-based delivery solutions company. The app shot to popularity by giving you the offer to deliver practically anything within a certain radius. The app also provides motorbike taxi services in specific locations.

Since its initial days, the company has attracted prominent investors from all around the world, including Google, to raise more than $80 million in funds.

In October 2019, Business Insider reported the startup as having 5 lakh monthly users and conducting 20 lakh transactions every month.

The Data Breach

According to the announcement made by the company and its CEO, only one of the databases in a third-party server has been affected by the breach. Dunzo was not able to confirm to BOOM the exact number of users affected by the breach.

The company has also assured its users that credit card information of its users were kept safe as they're not stored in their servers.

What Steps Has Dunzo Taken?

In conversation with BOOM, a Dunzo spokesperson ensured that steps have been taken by the company to protect itself from malicious attacks, including those on third parties. "From our end, we have further strengthened and resolved our security systems to ensure that even if a third party breach occurs, Dunzo's systems are impenetrable," the spokesperson said.

Furthermore, the company also added the following steps in the announcement as measures taken to protect its databases:

• Secured all our database and data stores from network and access standpoint
• Rotated all the access tokens and updated all passwords as a precautionary measure
• Tightened infrastructure security and closed all the vulnerable ports
• Reviewed and updated all access privileges to our system and infrastructure
• Reviewed all the third-party plugins and integrations
• Enhanced our logging and tracing even further across various services to monitor and get alerted about any suspicious activity

What Does This Breach Mean For Dunzo Users?

Going by our conversation with the company and the announcement it has made, it is still not clear who the affected third-party is, or how many users have had their information compromised.

However, we do know that phone numbers and emails of certain users could have leaked out in this breach. Such information exposes these users to phishing attacks, which aims at extracting highly sensitive information such as online banking or credit card details.

Therefore Dunzo users should avoid opening links with suspicious domains names, sent by people they do not trust, and refrain from providing any information to suspicious callers.

Cybercrimes On The Rise

The current pandemic and the ensuing social distancing has locked many people in their homes with their laptops and smartphones as the only way to communicate with the outside world. The suddenly increased dependency on ICTs has also exposed these users to cyber attacks.

In May, Izumi Nakamitsu, the chief of United Nations Office for Disarmament Affairs stated that there has been a 600% increase in malicious emails during the pandemic.