Popular food delivery app FoodPapa allegedly got hacked, exposing the private information of delivery riders and customers, including phone numbers, emails, photos, and more.
A database belonging to FoodPapa was leaked on a popular cybercrime forum, raising concerns over the safety of customer and delivery rider information.
ProPakistani reached out to FoodPapa for an official response regarding the alleged breach. However, the company did not respond at the time of publication. As a result, it remains unclear how the breach occurred, whether FoodPapa was aware of the issue, or what steps, if any, are being taken to address the situation.
According to details shared online, the breach is attributed to a threat actor identified as “penguinbrew,” who claims the company left a backed-up database exposed, allowing unauthorized access.
The leaked data reportedly includes a full SQL database measuring approximately 238.3 MiB in compressed form and 1.5 GiB uncompressed. A smaller set of cleaned tables, sized at 13.5 MiB compressed and 27.01 MiB uncompressed, has also been made available. The backup is said to date back to February 1, 2026.
The exposed database allegedly contains extensive personal and account-related information of users. This includes first and last names, phone numbers, email addresses, profile images, and verification statuses. More sensitive details, such as passwords, remember tokens, authentication tokens, refresh tokens, and wallet balances, are also reportedly part of the leak. Additional fields include order counts, loyalty points, referral codes, and account status indicators.
Data linked to delivery riders is also said to be compromised. The leaked information includes names, phone numbers, and email addresses, along with identity details such as identity numbers, types, and images. Other sensitive records include signatures, passwords, authentication tokens, earnings, assigned zones, and order activity. Personal information such as full addresses, father’s names, and vehicle registration details is also reportedly included, along with employment-related data such as termination status and reasons.
The threat actor claims that both the complete database and cleaned datasets for users, delivery personnel, and administrative records are available for download.
Get the latest tech news, telecom insights, and product launches wherever you prefer.
Add ProPakistani to Preferred Sources and see more of our stories in Google Search and Top Stories.