Chowbus user data breach (email, name, phone, address) with 800k rows

17 points by abcdabcd987 ↗ HN
Email sent to all users via Chowbus Sendgrid. Link to anonymousfiles.io. Two CSVs, restaurants and users.

  $ head -n 1 users_y1KGkRi.csv
  "email","first_name","last_name","phone_number","address_1","address_2","city","state","zip_code"
  $ wc -l users_y1KGkRi.csv
  803354 users_y1KGkRi.csv
  $ cat users_y1KGkRi.csv | cut -d "," -f 1 | sort | uniq | wc -l
  444218

  $ head -n 1 restaurants_KmHZSPi.csv 
  "name","foreign_name","phone_number","commission_rate","address_1","address_2","city","state","zip_code"
  $ wc -l restaurants_KmHZSPi.csv
    4301 restaurants_KmHZSPi.csv

10 comments

[ 2.9 ms ] story [ 37.4 ms ] thread
Complete disaster.
Although you might have done already, it'd be worth contacting Chowbus to report this. There's an email contact in the footer of their homepage; I couldn't initially find a security-related contact address, but they may have one too.
I got a similar email and contacted Chowbus about it. Here was their reply:

Thank you for bringing this to our attention. As soon as we became aware of this incident, our security team quickly took steps to secure our systems, including our customers’ account information. The link from the email is already disabled. Your credit card information does not exist in our systems. Any credit card information and transaction is processed by Stripe, a secure 3rd party payment processor. We are confident your credit card information is safe.

(comment deleted)
I used to be a person but then I became a consumer and now I've become a row.
Is anyone going to post the anonymousfiles.io link for the two datasets?
typed users_y1KGkRi and y1KGkRi. Got one result, for a link shorten-er app
*into google search