A major breach has hit a popular food delivery service. Food delivery app FoodPapa allegedly hacked, exposing private information of delivery riders and customers. Phone numbers, emails, photos, passwords, and wallet balances have all appeared online. A threat actor named penguinbrew posted the database on a cybercrime forum.

Penguinbrew claims FoodPapa left a backed up database exposed without protection. This allowed unauthorized access to the files. The leaked data measures about 238 MiB compressed and 1.5 GiB uncompressed. The backup dates back to February 1, 2026.

Customer data includes names, phone numbers, emails, profile images, and verification statuses. Passwords, authentication tokens, refresh tokens, and wallet balances also feature in the leak. Rider data contains even more sensitive information. Identity numbers, signatures, earnings, full addresses, father names, and vehicle registration details have all leaked. Employment data such as termination status has also become public.

Food delivery app FoodPapa allegedly hacked, but the company has not responded yet. Media reached out for an official statement. FoodPapa did not reply at the time of publication. No one knows if the company understands the severity of this breach. Users should change their passwords immediately and watch for phishing attempts.