Spanish delivery startup Glovo confirmed on Tuesday that a cybercriminal had managed to break into its system. As per a report by Forbes, the attacker was selling access to both customer and courier accounts. This was possible as they had the ability to change the accounts’ passwords. However, Glovo has insisted that no credit card data was stolen.
The breach was revealed by Alex Holden, chief technology officer and founder of Hold Security, which tracks malicious hackers across the darker corners of the Web. He discovered images and videos from a hacker who was showing off access to the computers used to manage Glovo accounts.
The information was later passed on to Glovo after one of the affected users confirmed they were a member of the platform. The startup then had no choice but to confirm the hack claiming it had fixed the issue. This was despite the hacker continuing to sell access to the startup’s IT systems.
“On April 29, we were made aware of unauthorized access by a malicious third party actor to one of our systems,” a spokesperson said.
“The actor involved was able to gain access through an old administration panel interface. As soon as we discovered this suspicious activity, we took immediate steps to block further access by the unauthorized third party and put in place additional measures to secure our platform.
“While we are currently investigating further, we can confirm that no customer card data was accessed, as we do not hold or store such information.”
The company did promise to start investigations alongside Spanish authorities, although Holden is still concerned about what info the hacker managed to access. Speaking to Forbes, the cybersecurity expert raised concerns that international bank account number (or IBAN) and tax ID numbers were exposed.
On the other hand, Glovo added that they had blocked access to the affected system as soon as Friday last week after it was placed behind the firewall.
It is not clear where the hacker is based or even how many users were affected so, you might want to take all precautionary actions if you are a Glovo user.