The security breach that delivery service Dunzo disclosed earlier this month affected at least 3,465,259 accounts, data provided to security researcher Troy Hunt by Dehashed shows. In an update to Dunzo’s blog post on the breach, the company’s CTO Mukund Jha said that users’ last known location was also compromised. The number of accounts affected is roughly seven times higher than the number of monthly transacting users Dunzo had last October. While disclosing the breach earlier, the company had said that only emails and phone numbers of users were compromised, and hadn’t revealed the number of affected users.
It’s unclear how many Dunzo users were notified of the breach before its contents became public, and why the company chose to wait until the breach data was made public before it informed users about the extent of the information that was compromised, and how many users were affected. We have reached out to the company for comment.
“[The breach] included information, like last known location, phone type, last login dates,” Jha said in an update posted on Wednesday afternoon. Since the breach was announced earlier this month, at a time when much of the country remains under lockdown, it is likely that the breach has exposed many users’ home addresses. While Jha doesn’t mention it in his post, Hunt’s entry notes that users’ IP addresses were also exposed in the breach.
“Our teams are additionally working with two external leading cybersecurity firms to further strengthen all our security practices. This will help ensure that in the future, there is no threat of any unauthorized access to our data,” he added.