-
A bad actor under the name “Penguinbrew” allegedly leaked the database of a prominent business, FoodPapa.
-
The 1.5 GB stolen data contained sensitive data of users and delivery personnel including personal and financial records, etc.
-
The success of the attack stems from an unprotected backup database of the company that the threat actor took advantage of.
A huge cyber attack just FoodPapa, a Pakistan-based platform for food delivery. Amid the buzz, a threat actor reportedly shared its database on a known cybercrime forum.
The individual behind the leak, “penguinbrew,” claims the entry to the data worked through an exposed backup system.
Hacker Takes Advantage of Open Backup Database
The size of the hijacked database is significant, reportedly measuring 238.3 MB in compressed format and approximately 1.5 GB when uncompressed. It includes both full SQL database files alongside smaller cleaned tables, with the backup dated January 2, 2026.
According to the claims, a misconfigured or poorly secured backup database (left open to the public) gave the bad actor entry. Such vulnerabilities are increasingly common, as organizations fail to bring in proper security measures for cloud storage and backup systems. As a result, it leaves them open to exploitation by cyber thieves.
Extent of Exposure Content of Compromised Data
The leaked data reportedly covers multiple categories, including users, delivery personnel, and administrative records. For users, the exposed information includes first and last names, phone numbers, email addresses, and account-related details such as passwords, authentication tokens, and login methods.
Additional user data such as wallet balances, loyalty points, referral codes, and order counts were also part of the dataset. This information could potentially facilitate financial fraud, phishing attacks, or unauthorized account access. The inclusion of verification statuses, social IDs, and Firebase tokens further increases the risk of impersonation and targeted cyberattacks.
For delivery personnel, the leak reportedly includes identity verification details such as identity numbers, images, and types, along with personal data like full addresses, father’s names, and vehicle registration information.
Employment-related records, including earnings, shift details, payment status, and termination information, also leaked, raising serious privacy and security concerns.
Impact and Industry Implications
Cybersecurity experts warn that breaches of this nature can have far-reaching consequences. Affected users may face risks such as identity theft, financial fraud, and long-term exposure to phishing and social engineering attacks.
For delivery workers, the exposure of identity documents and personal details presents even more serious risks, including impersonation and financial exploitation.
The incident underscores ongoing challenges within the tech industry, particularly in fast-growing sectors like food delivery. As companies expand rapidly, security infrastructure often fails to keep pace, resulting in vulnerabilities such as unsecured databases and weak access controls.
At the time of reporting, FoodPapa has not issued an official statement regarding the alleged breach. It remains unclear whether the company is conducting an internal investigation or notifying affected users.
In the meantime, cybersecurity professionals advise users to take precautionary measures, including updating passwords, enabling multi-factor authentication, and staying alert to suspicious communications.
The cybersecurity professionals further advise users to look out for unsolicited emails or messages trying to take advantage of the leaked details, or requesting for even more sensitive information.
This breach serves as a critical reminder of the importance of robust data protection practices. In an increasingly digital world, safeguarding user information is not just a technical necessity but a fundamental responsibility for maintaining trust and credibility. Given how cyber threats are evolving, organizations must put digital security first, rather than as a technical prerequisite.
The 240 million Pakistanis whose personal data is already on the dark web serve as a stark warning, when data protection fails at scale, the consequences affect nearly every citizen, and the damage can take years, if not decades, to undo.
