Uber Eats Data Breach Leaked Online, Exposing Over 280,000 Records

• A hacker claimed to have infiltrated the Uber U.S. database and stolen 283,000 rows of data.
• The reportedly exfiltrated information pertains to a September 2024 breach and contains customer details.
• The offered sample alleges names, phone numbers, email addresses, and order history are available for download.

The U.S.-based online food ordering and delivery platform Uber Eats, operated by Uber, has allegedly suffered a data breach. The breach reportedly occurred in September 2024 and has resulted in the exposure of 283,000 rows of data.

The incident came to light when a post on a dark web forum by a threat actor using the alias “888” revealed details about the breach. The data includes personal information such as names, phone numbers, email addresses, and order history of Uber Eats customers.

The compromised dataset includes sensitive information such as order details and financial transactions. Key fields in the exposed data include store name, order ID, ordering provider

pos reference, type, and timestamps related to the placement and fulfillment of orders.

Additionally, the breach has exposed financial data categories, which encompass subtotal

delivery charge, tax, tip, and total. The threat actor has provided a sample from the alleged leak, further substantiating the scope and authenticity of the breach.

This is not the first time that Uber has faced a data breach. In 2016, hackers gained access to the personal information of over 57 million customers and drivers.

However, the company chose not to disclose the incident until a year later, when it was publicly reported. This lack of transparency resulted in Uber facing severe backlash from regulators and consumers worldwide.

The same threat actor claimed a Microsoft breach on July 10. The breach allegedly originated from an unnamed third-party vendor and included employee full names, job titles, email addresses, verification status, personal and corporate phone numbers, team affiliations, LinkedIn profiles, company website details, city, state, and country.

On July 3, 888 also posted on a popular hacking forum Shopify’s data breach information that the company said was caused by an unnamed third-party app. The sample boasted over 173,000 sets of user information, which apparently included Shopify IDs, full names, email addresses, phone numbers, order counts, total spending, and subscription statuses.