FoodPapa, a Pakistani food delivery platform, has allegedly had its entire database leaked on a popular cybercrime forum. The threat actor, operating under the handle penguinbrew, claims the company left a backed-up database exposed with no access controls, allowing anyone to download it freely.
The leaked data is not of a small scale, but substantial in weight. The full SQL dump weighs 1.5 GiB uncompressed, with cleaned tables adding another 27 MB. The backup is dated February 1, 2026, suggesting the data is recent. Both the full database and cleaned table exports covering users, delivery men, and admin accounts are reportedly available for download on the forum.
As highlighted on LinkedIn, the leaked credentials include:
User data:
- First Name, Last Name
- Phone, Email
- Image
- Phone/Email Verification Status
- Password, Remember Token
- Interest, Firebase Token
- Status, Order Count, Login Medium
- Social ID, Zone ID
- Wallet Balance, Loyalty Points
- Referral Code
- Auth Token, Refresh Token
- Suspension Reason
Delivery men table data includes:
- First Name, Last Name
- Phone, Email
- Identity Number, Identity Type, Identity Image
- Signature, Image, Password
- Auth Token, FCM Toke
- Zone ID, Status, Earnings
- Current Orders, Restaurant ID
- Vehicle ID, Shift ID
- Full Address, Father Name
- Vehicle Registration Number, License Image
- Shirt Size, Helmet Size
- Payment Status
- Termination Reason and Status
For ordinary users, the immediate risks include phishing attacks, SIM swap fraud, and unauthorized access to linked payment methods. For delivery riders, the exposure of national identity documents and home addresses creates a direct physical safety risk on top of the financial threat.
While the threat is persistent, some people took to the internet to question the data leak. Their claims revolve around the size of the data, and that such a small sample size is not problematic in the grand scheme of things. Some people also mistook the brand with Foodpanda, a different and more prominent food delivery business operational in Pakistan.
FoodPapa has not publicly confirmed or responded to the alleged breach at the time of writing.
Pakistani users of the platform are advised to change their passwords immediately, enable two-factor authentication where available, and monitor their accounts for any unusual activity for any apps they use.
