Italian Cyber Security Firm Yarix Claims Glovo Data for Sale

(Bloomberg) -- Italian cyber security firm Yarix alleged that hackers accessed confidential data and login credentials related to tens of millions of Glovo’s customers, a breach strongly denied by the Spanish delivery app.

On Tuesday Yarix it said it had evidence attackers are attempting to sell the archive on the dark web -- part of the internet unreachable by conventional web browsers -- with about 160 gigabytes of names, phone numbers, passwords and data related to customers payment systems for sale for about $85,000.

“While the unauthorized third party was able to access IBAN and Tax ID numbers for a short period of time, we can confirm no credit/debit card data was accessed,” a Glovo spokesman said.

In a separate statement on Wednesday, a Glovo spokesman said: “Contrary to recent reports that customer credit and debit card data from our databases were made available for sale on the dark web, we would like to reassure our customers that this is not true.”

Bloomberg hasn’t been able to verify the authenticity of the information alleged to be up for sale, or over what time period it dates back to. Forbes reported on May 4 that Glovo data had been breached. It’s unknown if the data associated with that breach, which Glovo confirmed to Forbes, is connected to that discovered by Yarix.

Mirko Gatto, Yarix’s Chief Executive Officer, said his company were able to obtain extracts from the stolen database that included payment details and Glovo access credentials.

In a new statement Wednesday, a spokesman for Yarix said that it “reiterates it unveiled on dark web the leaked data base allegedly related to Glovo. Yarix double checked that some financial data such as credit cards included as evidence in the sale announcement were valid. Yarix acknowledges what Glovo stated regarding the non-traceability of credit card data to Glovo database.”

©2021 Bloomberg L.P.