How Were Users Affected by the Latest EatStreet Data Breach?

The hacker that stands behind the Gnosticplayers alias has made quite a few headlines over the last four months or so, and some people may find this odd. For one, it's difficult to take a person seriously if they use a nickname that seems to have been dreamt up by a teenager who probably has no idea what the word 'gnostic' actually means. There are a number of other reasons why you'd be perplexed by Gnosticplayers' popularity.

He has been actively communicating with ZDNet's Catalin Cimpanu, and he has provided multiple absurd excuses for his cybercriminal activities. He once said, for example, that one of his main goals is to see the "downfall of American pigs". More recently, he said that he was frustrated with the lack of basic security hygiene demonstrated by online service providers. We're all upset by this, but not all of us sell innocent users' personal information for cold hard bitcoins.

Based on all this, you might be wondering why people even bother talking about Gnosticplayers. There is a very good reason, though – he is a seriously dangerous hacker. In the span of less than six months, he released for sale over 1 billion stolen records from dozens of companies. He claims that he has done all the hacking himself and that he is in possession of quite a lot more data which he uses and trades privately. The experts are not ready to disagree.

Gnosticplayers isn't on the verge of retirement, either. In fact, his latest hit, the one on online food ordering service EatStreet, was officially disclosed just last week.

Gnosticplayers hacked EatStreet in early May

Catalin Cimpanu first heard of the EatStreet data breach a month ago when he was reporting on the Canva incident during which Gnosticplayers stole the data of 139 million users. Back then, the hacker told ZDNet that he had also compromised EatStreet's security, but he decided not to back his claims with any actual data, and with no word from the affected company, the story remained on the sidelines.

Last week, however, ZDNet's security reporter noticed that EatStreet customers and partners were receiving data breach notifications over the email, which proved that Gnosticplayers had been telling the truth. He first infiltrated EatStreet's systems on May 3 and remained undetected for exactly two weeks. On May 17, Gnosticplayers' access was cut off, but by then, he had already managed to steal a few databases full of sensitive information.

The email notifications published by ZDNet (1, 2, and 3) don't say why the data breach remained undisclosed for over a month. What they do tell us, however, is that people and business owners affected by it should be rather careful.

Gnosticplayers compromised personal, business, and financial data

Gnosticplayers had enough time to siphon off quite a lot of information, and it's fair to say that he used it wisely. In addition to names, email and billing addresses, and phone numbers, Gnosticplayers made off with the full credit card details of individual EatStreet customers. He also managed to steal business names, personal and contact details of business owners as well as bank account and routing numbers of some of EatStreet's partnering restaurants and delivery services.

Although it said that it has beefed up its security in order to thwart future attacks, the food ordering platform decided not to publicly announce how many people and businesses have been affected which means that we have no other choice but to take Gnosticplayers' word for it. He told ZDNet that he has over 6 million records stolen from EatStreet.

The scale of the breach might remain unknown, but the potential consequences for each individual user should be pretty apparent. Quite a lot of information was stolen, which means that if you've received a data breach notification from EatStreet, you should keep your eyes peeled for any signs of identity theft.