On Tuesday, online delivery startup, Glovo, confirmed that a cybercriminal managed to break into its platform. According to Forbes, the hacker was selling access to both customer and courier accounts, with the ability to change their passwords, though Glovo emphasized that no credit card data has been stolen.
This is coming just a couple of days after the company announced that it secured $528 million (€230 million) Series F funding for global expansion.
Forbes said it was “alerted to the breach by Alex Holden, chief technology officer and founder of Hold Security, which tracks malicious hackers across the darker corners of the Web. He discovered screenshots and videos from a hacker showing off access to the computers used to manage Glovo accounts.”
“After he passed them on to Forbes, and one of the affected users confirmed they were a member of Glovo, the breach was disclosed to the company on Thursday. On Monday, Glovo confirmed the hack, claiming it had fixed the issue, even as the hacker continued to sell access to the startup’s IT systems.”
“On April 29, we were made aware of unauthorized access by a malicious third party actor to one of our systems,” a spokesperson said.
“The actor involved was able to gain access through an old administration panel interface. As soon as we discovered this suspicious activity, we took immediate steps to block further access by the unauthorized third party and put in place additional measures to secure our platform.
“While we are currently investigating further, we can confirm that no customer card data was accessed, as we do not hold or store such information.”
Though Glovo has contacted the Agencia Española de Protección de Datos (AEPD), Spain’s data protection authority, they said that they couldn’t divulge any more information on the nature of the breach or the kinds of data they believe to have been compromised as a result of the hack.
Glovo said that it had blocked access to the affected system on Friday morning, after it was placed behind the firewall. “As a result, the system is now no longer accessible. We then undertook a log analysis to search for signs of a data leak and to assess the potential volume of such a leak. We found evidence of unauthorized access to the system, confirming the presence of the hacker, but we found no evidence to confirm any data export.”
Glovo was founded by Oscar Pierre and Sacha Michaud in 2015. In December 2019, it raised $167 million (€150m) in a Series E round led by Abu Dhabi’s Mubadala. The new funds made the company cross $1 billion valuation mark, making it the second privately-held Spanish company to have achieved the “unicorn” status.
Glovo has more than 2.5 million monthly active users, 50,000 active couriers and over 50,000 associated partners worldwide. It recently launched operations in Ghana, its fifth African country.
