the attacker sold access to user and delivery accounts

Through an old admin panel, an attacker has managed to access Glovo and the data of users and distributors, as reported from Forbes and we have been able to confirm from Engadget. The attacker was apparently selling the access data to the backend of the platform where, in principle, the users’ password could be modified.

Glovo assures Forbes that “although we are currently investigating more, we can confirm that the customer’s card details were not accessed, since we do not save or store this information. “From Xataka we have contacted Glovo, which has confirmed the” unauthorized access of a third party to one of our systems. “

From Glovo they claim to have blocked access

The breach has been spotted by Alex Holden, founder of Hold Security. He discovered screenshots and videos in which the hacker showed how he was accessing computers used to manage Glovo accounts. The breach was disclosed to the company last Thursday and Glovo has just confirmed it, assuring in passing that the problem had been resolved.

As explained from Glovo, the attacker “could access through an old admin panel interface. As soon as we became aware, we took immediate action, blocking unauthorized third party access and implementing additional measures to protect our platform. “

Glovo says it is still investigating the problem, but can confirm that “no customer card data was accessed, since Glovo does not save or store such information. “According to Forbes, the attacker could access Glovo’s system and change the passwords of users and distributors, but not access bank information.

The magnitude of the gap is still unknown. From Glovo they claim to be in contact with the Spanish Agency for Data Protection and affirm that they will provide them with “all the information they need for their investigation”.

Via | Forbes