Chowbus Data Breach Compromises Over 800,000 Customer Records


Chicago-based Asian food delivery business Chowbus confirmed that it had experienced a massive data breach on Monday, October 5, 2020. The delivery service admitted to the security incident after users reported getting emails of customer data sent their way on Monday morning.

Chowbus is an Asian mobile food delivery service that provides customers access to ordering food from local restaurants in the United States, Canada, and Australia.


Founded in 2015, the food delivery business aims to bring Asian restaurants closer to its customers, with the company servicing 20 North American cities as of this writing, notes the Chicago Tribune.

Chowbus Breach Compromises Customer Records

According to the Chicago Tribune, among the personal data distributed to customers via email are email addresses, phone numbers, and mailing addresses of other customers. The emails were filed under “Chowbus data,” and the email contained links where customers can download the Chowbus database.


The database in question also reportedly contained contact details for both customers and restaurants of the Asian food delivery service.

In total, approximately 4,300 dining establishments and partner merchants, customer names, email addresses, phone numbers, and addresses, were found in the database. Meanwhile, Have I Been Pwned states that around 800,000 customer records were found on the link to the CSV file.

58% of this number is said to have been found on the Have I Been Pwned website, notes the Chicago Tribune.

Business Insider reports that customers and affected individuals took to airing their concerns on the social media site Reddit, with some posts showing screenshots of the email sent to them. A Reddit user said the “CSV file was like 69MB large and I had no problem finding my own stuff.”

Other users also voiced their concern for the breach via Twitter.

In an email to customers Monday, Chowbus founder and chief executive officer Linxin Wen said that their team discovered that “some of our user data had been illegally accessed and made available online.”

“Thankfully, the data did not contain credit card information or Chowbus account passwords, and we are confident that this information is safe,” continued Wen. According to the delivery service’s Twitter profile, they make use of “Stripe, a secure 3rd party payment processor.”

Following the data security incident, Chowbus said that it has immediately alerted its security team to address the issue, reports BleepingComputer. Business Insider states the company also disabled the links shared on the email sent to customers.

Despite the massive data breach in the US, in an interview with The RiotACT, the delivery service maintains that its Australian arm is safe from the security incident as the country’s server is independent.