ShadowMap’s AI & ML based digital risk management platform has discovered a new data breach on the darkweb that impacts 6 million users of the online delivery service, Dunzo. Dunzo is an Indian company that provides delivery services in Bengaluru, Delhi, Gurugram, Pune, Chennai, Jaipur, Mumbai and Hyderabad. The company also operates a Bike Taxi service in Gurugram. It is headquartered in Bengaluru, India. In 2017, it was funded by Google.
The initial disclosure of the breach was made by Dunzo it self on the 11th of July 2020. As part of our continuous monitoring of 4000+ Surface, Deep & Dark Web Forums for data breaches, we discovered this database being sold on DarkWeb forums around the first week of July 2020.
The forum post claims that the data contains 8,493,681 rows of user data and the hacker has suggested that the initial breach took place in June 2020. On analysing the breach data, we found there were 5,969,986 rows of data published as part of this leak and the breach itself took place around the 20th of June 2020.
Inside The Dunzo Data Breach
The database contains a single table: Users_DunzoUser
id, password, last_login, is_superuser, uuid, first_name, last_name, email, phone, country_code, type, status, device_token, phone_type, phone_make, date_joined, last_updated, secret_key, app_version, registered_on, registered_platform character, send_logistics_pricing, send_logistics_pricing_image_format, last_pricing_version_shared, preferred_mode_of_payment, credit_amount, credit_score, maximum_retries_count, profile_data_updated_on_firebase, merchant_id, permission_role, user_status, flow_version, extra_data_json, city_id, current_runner_task_id, source, first_known_location, last_known_location, referral_code, referred_by_code, advertising_id, device_id, bucket_id
The passwords in the database seem to be stored using Django Password Hashes (Salted SHA 256 hash with 20000 iterations), while some users don’t have a password string in the database since they are most likely using social or OTP based login. In-addition to the email addresses, mobile numbers, IP addresses & password hashes the GPS locations of the users while they installed and last used the application along with details about their phone devices are also available.
Since the password hashes have been leaked, there is a significantly likelihood of password stuffing attacks taking place against various platforms where the same email / mobile and password are being used. In-addition to this, threat actors can use the email addresses to send spam, phishing emails, and launch other online scams.
So, as a rule of thumb:
- Use strong passwords.
- Enable multi-factor authentication for all your online accounts.
- Don’t open unsolicited email attachments and links, especially from senders you don’t recognise.
- Don’t share OTPs with third-parties.
- Review online accounts and financial statements periodically.
- Regularly update your apps and any other software you use.