The Dunzo data breach, which was first disclosed earlier this month, might have been more serious than initially estimated.
Dunzo has now said that in addition to users’ phone numbers and email addresses, other data items, including users’ last-known locations, phone types, and device type was also compromised. “Based on our latest investigation we learned the information compromised contained additional Personally Identifiable Information (PII) data besides email and phone numbers,” Dunzo wrote on its blog today. “It included information, like last known location, phone type, last login dates. Additionally, we have also learned that the database also contained advertising-related attributes including a few specific PII — device info, last known IP address, and advertising id. All other parameters are internal to Dunzo,” the comapny added.
The website haveibeenpwned.com, which is tells people if their data had been part of any breaches, says that 34 lakh Dunzo users were affected by the breach. Dunzo previously hadn’t revealed how many users were affected by the breach, which the company said had taken place after a hacker managed to access the servers of a third party Dunzo works with.
While Dunzo has said that user addresses weren’t a part of the data that was stolen, there are concerns that the last-known location could give away the home locations of many users. A security researcher who accessed a copy of the database for analysis told Livemint that the latitude and longitude data could be as accurate as 20 metres from your location. “I checked my own data and found that it almost pinpointed to my home,” he said. The security researcher also confirmed that credit scores for users who paid on Dunzo using pay later service Lazypay was also included in the breach.
Dunzo has said that no credit card data or passwords were stolen, so users won’t have to change their passwords. But the hack of personally-identifiable information, including last location, phone numbers, email addresses, and device types could be worrying. New-age apps have dramatically increased convenience for users — single-tap checkouts and saved locations make for great UX, but giving companies access to this information also exposes user data to being exposed and stolen.