What Happened
In early 2026, Pakistani food delivery app FoodPapa (foodpapa.com) suffered a major data breach when a threat actor named penguinbrew allegedly discovered and leaked its entire database backup—dated February 1, 2026—on a cybercrime forum after it was left exposed online without access controls. The 1.5 GiB SQL dump and additional 27 MB of cleaned tables exposed sensitive data for users (including names, phones, emails, passwords, wallet balances, loyalty points, auth tokens, and images) and delivery riders (including names, IDs, addresses, identity documents, vehicle details, earnings, and signatures), affecting an undisclosed number of records but described as substantial in scale. FoodPapa has not confirmed or responded publicly, prompting advice for users to change passwords and monitor accounts amid risks like phishing, SIM swaps, and physical threats to riders.
