Exclusive: Hackers Break Into Glovo, Europes $2 Billion Amazon Rival
May 4, 2021,06:21am EDT|8,190 views
Exclusive: Hackers Break Into Glovo, Europe’s $2 Billion Amazon Rival
Thomas Brewster
Thomas BrewsterForbes Staff
Cybersecurity
Associate editor at Forbes, covering cybercrime, privacy, security and surveillance.
Glovo hacked in middle of pandemic.
Glovo customers and couriers had their data put at risk in a cyberattack confirmed by the $2 billion Amazon rival. EVGEN KOTENKO/ UKRINFORM/BARCROFT MEDIA VIA GETTY IMAGES
A cybercriminal has managed to break into the $2 billion-valued Spanish delivery startup Glovo. The hacker was selling access to both customer and courier accounts, with the ability to change their passwords, though the company has emphasized to Forbes that no credit card data has been stolen.
It comes just a month after Glovo, which aims to become the Amazon of Europe, a rival also capable of delivering anything, announced a huge $530 million round, taking its overall funding to over $1 billion and boosting plans to take the company public in the next few years.
Forbes was alerted to the breach by Alex Holden, chief technology officer and founder of Hold Security, which tracks malicious hackers across the darker corners of the Web. He discovered screenshots and videos from a hacker showing off access to the computers used to manage Glovo accounts. After he passed them on to Forbes, and one of the affected users confirmed they were a member of Glovo, the breach was disclosed to the company on Thursday. On Monday, Glovo confirmed the hack, claiming it had fixed the issue, even as the hacker continued to sell access to the startup’s IT systems.
“On April 29, we were made aware of unauthorized access by a malicious third party actor to one of our systems,” a spokesperson said.
“The actor involved was able to gain access through an old administration panel interface. As soon as we discovered this suspicious activity, we took immediate steps to block further access by the unauthorized third party and put in place additional measures to secure our platform.
“While we are currently investigating further, we can confirm that no customer card data was accessed, as we do not hold or store such information.”
The company has contacted the Agencia Española de Protección de Datos (AEPD), Spain’s data protection authority. “We will be providing them with all the information that they need for their investigation.” The Glovo spokesperson added that they couldn’t divulge any more information on the nature of the breach or the kinds of data they believe to have been compromised as a result of the hack.
Holden told Forbes he was concerned that as of Monday the hacker was still promising buyers access to Glovo systems and data, and that the information appeared to be unencrypted to any outsider who could break in. He also raised concerns that couriers’ international bank account numbers (or IBAN) and tax ID numbers were exposed.
A Glovo spokesperson said the data was “only accessible via a successful log-in by an account with sufficient permissions. All personal data at rest in our systems is encrypted.”
They added that the company had blocked access to the affected system on Friday morning, after it was placed behind the firewall. “As a result, the system is now no longer accessible. We then undertook a log analysis to search for signs of a data leak and to assess the potential volume of such a leak. We found evidence of unauthorized access to the system, confirming the presence of the hacker, but we found no evidence to confirm any data export.”
“During the pandemic, delivery of food, groceries and medications is critical to many. Hence, this breach is significantly worse than it would have been before,” Holden added.
“There are plenty of fraud and abuse angles that may come out of this data, but perhaps, more importantly, a mass violation of privacy for customers and couriers.”
Exclusive: Hackers Break Into Glovo, Europe’s $2 Billion Amazon Rival
Thomas Brewster
Thomas BrewsterForbes Staff
Cybersecurity
Associate editor at Forbes, covering cybercrime, privacy, security and surveillance.
Glovo hacked in middle of pandemic.
Glovo customers and couriers had their data put at risk in a cyberattack confirmed by the $2 billion Amazon rival. EVGEN KOTENKO/ UKRINFORM/BARCROFT MEDIA VIA GETTY IMAGES
A cybercriminal has managed to break into the $2 billion-valued Spanish delivery startup Glovo. The hacker was selling access to both customer and courier accounts, with the ability to change their passwords, though the company has emphasized to Forbes that no credit card data has been stolen.
It comes just a month after Glovo, which aims to become the Amazon of Europe, a rival also capable of delivering anything, announced a huge $530 million round, taking its overall funding to over $1 billion and boosting plans to take the company public in the next few years.
Forbes was alerted to the breach by Alex Holden, chief technology officer and founder of Hold Security, which tracks malicious hackers across the darker corners of the Web. He discovered screenshots and videos from a hacker showing off access to the computers used to manage Glovo accounts. After he passed them on to Forbes, and one of the affected users confirmed they were a member of Glovo, the breach was disclosed to the company on Thursday. On Monday, Glovo confirmed the hack, claiming it had fixed the issue, even as the hacker continued to sell access to the startup’s IT systems.
“On April 29, we were made aware of unauthorized access by a malicious third party actor to one of our systems,” a spokesperson said.
“The actor involved was able to gain access through an old administration panel interface. As soon as we discovered this suspicious activity, we took immediate steps to block further access by the unauthorized third party and put in place additional measures to secure our platform.
“While we are currently investigating further, we can confirm that no customer card data was accessed, as we do not hold or store such information.”
The company has contacted the Agencia Española de Protección de Datos (AEPD), Spain’s data protection authority. “We will be providing them with all the information that they need for their investigation.” The Glovo spokesperson added that they couldn’t divulge any more information on the nature of the breach or the kinds of data they believe to have been compromised as a result of the hack.
Holden told Forbes he was concerned that as of Monday the hacker was still promising buyers access to Glovo systems and data, and that the information appeared to be unencrypted to any outsider who could break in. He also raised concerns that couriers’ international bank account numbers (or IBAN) and tax ID numbers were exposed.
A Glovo spokesperson said the data was “only accessible via a successful log-in by an account with sufficient permissions. All personal data at rest in our systems is encrypted.”
They added that the company had blocked access to the affected system on Friday morning, after it was placed behind the firewall. “As a result, the system is now no longer accessible. We then undertook a log analysis to search for signs of a data leak and to assess the potential volume of such a leak. We found evidence of unauthorized access to the system, confirming the presence of the hacker, but we found no evidence to confirm any data export.”
“During the pandemic, delivery of food, groceries and medications is critical to many. Hence, this breach is significantly worse than it would have been before,” Holden added.
“There are plenty of fraud and abuse angles that may come out of this data, but perhaps, more importantly, a mass violation of privacy for customers and couriers.”