“Foodie” Data Breach Affects Millions of Eatigo and RedMart Customers

Noodles, dumplings, dim sum, spring rolls and other famous Asian dishes on table

Personal data of millions of customers were illegally accessed in two separate data breaches. On Saturday, the restaurant reservation app Eatigo confirmed a security incident involving 2.8 million customer accounts. Just a day prior e-grocer RedMart disclosed that personal information of 1.1 million customers had been stolen.

Data From 2.8 Million Eatigo Accounts Stolen

Eatigo is the number 1 restaurant reservation app in Asia. The platform allows diners to make a reservation in any of their 4,500+ restaurants. Customers enjoy time-based discounts of up to 50% during off-peak hours. The service is available in Thailand, Singapore, Malaysia, Hong Kong, India, the Philippines and Indonesia.

In an email to customers, Eatigo disclosed that it was made aware of a data breach that potentially affected 2.8 million Eatigo accounts. “Our investigations indicate that the information that was illegally accessed was from more than 18 months ago and included customer names, email addresses and phone numbers”, said Eatigo. The customers’ personal information is up for sale on the dark web.

The company assured customers that their existing Eatigo account password is encrypted and thus “remains safe”. Nonetheless, they encouraged users to reset their password as a precautionary measure. Fortunately, the company doesn’t store credit card information on their system.

Up To 1.1 Million RedMart Customers Affected

Alongside Eatigo’s customer data, cybercriminals are also selling personal information from 1.1 million RedMart users. RedMart is Singapore’s largest online grocery store. The company Lazada acquired RedMart in 2016 and integrated both platforms in March 2019. Just like Eatigo, the RedMart database is said to be 18 months out of date. It is unclear if both databases were breached by the same perpetrators.

“On 29 October 2020, our cybersecurity team discovered a data security incident involving unauthorised access to a RedMart-only database hosted on a third-party service provider”, confirmed Lazada. “We immediately removed the unauthorised access and commenced investigations to assess the extent of the incident.”

The customer information that was illegally accessed in this data breach included names, phone numbers and addresses, as well as encrypted passwords and partial credit card numbers. Lazada has logged users out of their existing accounts and has requested they input a new password upon their next login. Both RedMart and Eatigo have informed the Personal Data Protection Commission (PDPC).

Out of Date or Not, That’s the Question

Although both companies emphasized multiple times that the compromised databases are “at least 18 months out of date”, it is unclear whether this is relevant or not. Especially since consumers tend to use the same passwords across multiple platforms and usually don’t regularly change passwords, other than for their banking accounts or their professional email accounts, for example.

What’s more, a data breach broker apparently told Bleeping Computer that “the stolen database contains user records with registration dates in May and July 2020”. A screenshot with recent user records was added as proof. Another question is why both legacy databases are or were still online, if the data is no longer being used and hasn’t been for at least 18 months?

Also, the passwords in the stolen databases are SHA-1 hashed. SHA cryptography is a form of hashing rather than encryption. It creates unique hashes and was specifically made to secure important and sensitive data. Nonetheless, the SHA-1 encryption algorithm has a bad reputation among cybersecurity experts as it has been successfully “dehashed” by hackers in the past.

Best Practices for Online Accounts

Both data breaches are a stark reminder that consumer’s online accounts are prime targets for cybercriminals. Most contain a load of valuable personal information, such as names, addresses, emails and credit card details.

There are also multiple ways for cybercriminals to get hold of supplementary details, such as phishing, social engineering, or credential stuffing. Moreover, if a consumer uses the same password for different accounts, a hacker can easily take over multiple accounts and impersonate the person or commit identity theft.

As a reminder, best practices to safeguard online accounts include:

  • Using strong and unique passwords
  • Changing passwords regularly
  • Being alert for phishing emails requesting personal or sensitive information
  • Monitoring any unusual activity
  • Never sharing confidential information over the phone, email or text
  • Avoiding saving credit card details online
  • Anonymizing an internet connection by using a Tor-browser or a VPN
IT communication specialist
Sandra has many years of experience in the IT and tech sector as a communication specialist. She's also been co-director of a company specializing in IT, editorial services and communications project management. For VPNoverview.com she follows relevant cybercrime and online privacy developments.