Glovo customers and couriers had their data put at risk in a cyberattack confirmed by the $2 billion Amazon rival. (Photo credit should read Evgen Kotenko/ Ukrinform/Barcroft Media via Getty Images)Barcroft Media via Getty Images
A cybercriminal has managed to break into the $2 billion-valued Spanish delivery startup Glovo. The hacker was selling access to both customer and courier accounts, with the ability to change their passwords, though the company has stressed to Forbes no credit card data has been stolen.
It comes just a month after Glovo, which aims to become the Amazon of Europe capable of delivering anything, rival capable of delivering anything, announced a huge $530 million round, taking its overall funding to over $1 billion and boosting plans to take the company public in the next few years.
Forbes was alerted to the breach by Alex Holden, chief technology officer and founder of Hold Security, which tracks malicious hackers across the darker corners of the web. He discovered screenshots and videos from a hacker showing off access to the computers used to manage Glovo accounts. After he passed them to Forbes, and one of the affected users confirmed they were a member of Glovo, the breach was disclosed to the company on Thursday. On Monday, Glovo confirmed the hack, claiming it had fixed the issue, even as the hacker continued to sell access to the startup’s IT systems.
“On April 29th we were made aware of unauthorised access by a malicious third party actor to one of our systems,” a spokesperson said.
“The actor involved was able to gain access through an old administration panel interface. As soon as we discovered this suspicious activity we took immediate steps to block further access by the unauthorised third party and put in place additional measures to secure our platform.
“While we are currently investigating further, we can confirm that no customer card data was accessed, as we do not hold or store such information.”
The company has contacted the Agencia Española de Protección de Datos (AEPD), Spain’s data protection authority. “We will be providing them with all the information that they need for their investigation.” The Glovo spokesperson added that they couldn’t divulge any more information on the nature of the breach or the kinds of data they believe to have been compromised as a result of the hack.
Holden told Forbes he was concerned that as of Monday the hacker was still promising buyers access to Glovo systems and data, and that the information appeared to be unencrypted to any outsider who could break in. He also raised concerns that couriers’ IBAN numbers and tax ID numbers were exposed.
“During the pandemic, delivery of food, groceries and medications is critical to many. Hence this breach is significantly worse than it would have been before,” Holden added.
“There are plenty of fraud and abuse angles that may come out of this data, but perhaps more importantly a mass violation of privacy for customers and couriers.”