Dunzo, one of India's most popular hyper-local delivery apps, funded by Google said in the latest cybersecurity incident breakout, the phone numbers and email addresses of users were compromised.
The attackers compromised on servers of a third party that Dunzo works with and managed to access the Dunzo database through them. While the payment info credentials i.e the credit card details of users wasn't compromised and neither were the passwords since Dunzo uses OTPs, its uncertain if the email addresses of all users have been compromised or only some of them.
As regards credit card details being stolen, the company clarified that it does not store this user data on its servers. The company said it has notified customers of the breach via a personal email, and it has not recommended against changing passwords. For those users, who missed out on the email communication from Dunzo and message wasn't delivered to your Inbox, information has been made publicly available by the company on its blog.
While Dunzo did not disclose the name of the vendor (the third-party details), but there remains a risk if the vendor in question wasn't working exclusively with Dunzo then other user databases could have been compromised as well.
How and why did Dunzo give access to the user database to a third-party vendor?
While questions are posed on why Dunzo allowed access to user private details to a third-party vendor, it is important to note that data compromised - email addresses and phone numbers are details of users that do not change often. This data can be used for phishing attacks over voice, text, and email.
Many companies are known for hiding security flaws and cybersecurity breaches, but Dunzo, in this case, acknowledged the loophole and took complete responsibility for the data compromise incident.
What else do you think Dunzo could have done to save some skin and make better of the situation, to ensure data wasn't shared in the first place to third-party vendors, thus allowing room for a compromise on user data credentials later.
As the story breaks out, some users have been trying to login to their Dunzo account to change the mobile number, email addresses, and perhaps delete their account permanently from the system, but for some unknown reason account deletion is not working either.
Sharing this cybersecurity breach information with users only after a thorough investigation, Dunzo said it has engaged leading cybersecurity firms to strengthen its security framework.