Dunzo Users Need to Be Careful After Their Phone Numbers and Email IDs Got Leaked

Dunzo Data Breach

On Saturday, Mukund Jha, the CTO of an Indian delivery service called Dunzo, was faced with the unenviable task of telling users that some of their data had been exposed. In a blog post, Jha apologized profusely and explained that hackers had gained access to the phone numbers and email addresses of an undisclosed number of Dunzo users.

Dunzo: A third-party breach led to the exposure of users' data

Dunzo's CTO said that the investigation is still ongoing, but he did point out the hackers didn't attack Dunzo itself. The server of a third party that the startup works with was breached, and through it, the crooks managed to get to a Dunzo database that contained phone numbers and email addresses.

As soon as they learned about the breach, Jha and his team immediately started working on securing the data and ensuring that similar incidents don't happen in the future. The steps they took include implementing a system that will alert them of any suspicious activity, reviewing third-party plugins, tightening access control policies, changing internal passwords, rotating access tokens, and updating the entire network configuration. More or less, they did all the things a company should do in the aftermath of a data breach, as well as some of the things a company should ideally do before the data ends up exposed.

Dunzo was quick to disclose the breach, but some of the details remain unknown

Jha's blog post was pasted in an email and sent to some of Dunzo's customers. One of those customers was independent researcher and cybersecurity professional Niranjan Patil, who praised Dunzo for being upfront about the incident.

It is indeed good to see a startup company that has suffered a cybersecurity calamity admit about the hack and disclose it as quickly as possible. That being said, Mukund Jha's notice could have contained fewer apologies and a bit more details.

Jha did point out that the company is still investigating the incident, so it's fair to assume that even he hasn't got the full picture. The fact that the third party that got hacked remains unnamed for now is also somewhat understandable.

Dunzo could have at least disclosed, however, when the breach happened and how the company learned about it. The number of potentially affected users is also not disclosed, which means that it's impossible to estimate the scope of the incident. People might also be wondering if any login data was affected during the breach. Regular users do indeed sign up for the service with a one-time password sent to their phones, but the businesses that work with Dunzo rely on a traditional username and password authentication system, and although the notification said that no payment information has been exposed, there was no mention of login credentials.

The missing details mean that at this point, users can do little more than hope that the breach isn't that serious. They can also hope that any future communication regarding the incident will be a bit more detailed.

July 13, 2020