NEW DELHI: The Dunzo data breach, reported earlier this month, was bigger than earlier expected. Information leaked through the data breach has now been uploaded on haveibeenpwned.com, a website which is used by security researchers to help the public find whether their data had been part of any breaches. Through this upload, the website details 3,465,259 accounts of Dunzo users.
The total number of breached accounts wasn’t disclosed by Dunzo in its voluntary disclosure earlier. The company had said its investigation at the time showed phone numbers and email addresses had been leaked, but the haveibeenpwned filing shows more information was involved.
Dunzo has also updated its blog post about the breach today, adding that personally identifiable information (PII) other than email and phone numbers were included in the breach. The leaked information includes Device information, email addresses, geographic locations (last known location), IP addresses, names, phone numbers.
While Dunzo says no address data was breached, a user’s last known location could very well be used by hackers to gauge their addresses. In fact, a security researcher who accessed a copy of the database for analysis confirmed that the latitude and longitude data could be as accurate as 20 metres from your location. “I checked my own data and found that it almost pinpointed to my home,” he said.
What Dunzo is essentially saying here is that the address you enter into the app wasn’t leaked. To an attacker, that may not matter and location intelligence, even of a friend’s address can be used to gain insight into a person.
Internal information from Dunzo, which includes the company’s advertiser ID, internal campaign names, keywords and more were also leaked through the hack. “Our teams are additionally working with two external leading cybersecurity firms to further strengthen all our security practices. This will help ensure that in the future, there is no thread of any unauthorized access to our data,” the company said in its post. No payment information has been breached right now.
Sources in the security community said the database is being actively shared among people right now.
The bright side is that Dunzo doesn’t allow users to create passwords for logging into the service, which means no passwords would have been leaked through the breach. However, the attackers can use information like phone numbers, email addresses and location data to glean insights into a person, as long as they are motivated enough.