Hacking Glovo: They Put the Complete Database up for Sale on the Internet

Hacking Glovo

At the beginning of the month we met one of the most serious hacks in the history of Spain, where a group of hackers gained full access to Glovo computers with administrator permissions. In addition to selling access to those computers, it seems that the hackers had time to obtain the entire database of the home delivery application, and now they have put it up for sale .

The hack is even more serious than that of Phone House, in which 1 in 4 Spaniards was present. In the case of Glovo, the database obtained by the hackers is complete, and includes extremely dangerous data such as the password or the users’ credit card number , as well as data on distributors, customers, orders, stores, associated companies. , etc. Specifically, according to hackers, the available data is:

  • Full name
  • Birthday
  • Email
  • Password encrypted with SHA256
  • Phone number
  • Physical address
  • Postal Code
  • Credit card, expiration date and CVC
  • DNI
  • IBAN of the bank account

In the following image we can see some of this data as it appears in the database, part of which we have censored the data. The user who appears had two registered bank cards , with their corresponding expiration date and CVC:

In addition to having that data of all users, hackers also have the users and passwords of the administrators , where the passwords are bypassed. As for the distributors , the data they have is the following, where the hackers list them with an “etc” at the end, so there could be even more information:

  • Full name
  • E-mail
  • Password encrypted with SHA256
  • Transport method
  • Postal Code
  • Physical address
  • IBAN of the bank account
  • DNI
  • Date of birth
  • Photo of the identity document

480 GB data, passwords and cards included

The database has 480 GB of uncompressed data , offered in 60 GB compressed . The hackers offer two samples of three users of the app and three distributors. They also offer snapshot tests of the admin panel and database upon request, but will only be offered to buyers who show they are serious. Nor will they manually verify the name of a user, and only sell data in bulk or from a specific country, Spain being its main market, although it already has a presence in 28 countries.

A few days ago a reduced version of the database was put on sale that occupied only 180 GB, but now the complete database is already available. In the case of Phone House, the database was made available to any user on the hacking group’s website on the Dark Web, but these hackers seem to want to get some revenue from it.

Change the password and cancel the card

Thus, unlike what happened in Phone House, here it is very important to change the password in Glovo and in any other service where we have used it, since, although it uses very robust encryption, the most normal thing in these situations is that they manage to undo the encryption and get the password in plain text.

At the same time, it would also be a good idea to change the credit card number and cancel the one we have used in Glovo. With the account number and all our personal data , hackers can impersonate us to ask for loans or carry out any type of suspicious activity. For example, they can register this card in Amazon or in any store and, with our full name, the date and the CVC, they can make purchases , so it is important to review the activity in our bank account to avoid scares.

At the legal level, there is not much we can do against Glovo for exposing the data, but in the event that money is stolen from the account, a lawsuit could be filed. Glovo reported the improper access to the AEPD, but said no card data had been stolen. Unfortunately, it seems that this has not been the case, and if theft occurs with this data, Glovo could face the payment of many compensations.