Chowbus Data Leak Compromises Hundreds of Thousands of Users’ Personal Information

Over 400,000 users of the Asian food delivery service app Chowbus were affected by a security breach that happened Monday.

The breach led to the release of many Chowbus users’ personally identifying information, including names, addresses, phone numbers and emails. An email from Chowbus CEO Linxin Wen sent Monday afternoon clarified that the leaked information was “illegally accessed,” but no user passwords or credit card data had been released.

The leak was unusual, however, because it involved an email being sent directly to affected users, notifying them immediately of what had happened.

It was around 1:30 A.M. Monday when Olivia Zhang received a strange email, titled simply “Chowbus data.” Curious, Zhang clicked on the email, only to find it contained two long links: “restaurants” and “users.”

Zhang, who studies computer science at the University of Illinois at Urbana-Champaign, said she was immediately alarmed. 

Chowbus had been a “lifesaver” for Zhang during the pandemic, who used it to order groceries from a local Asian grocery. Dozens of Asian restaurants in Champaign and Urbana, including Mandarin Wok, Basil Thai, and Kung Fu BBQ, also use Chowbus for delivery. The service is especially popular among international students from China. According to an analysis of the leaked data, there were over fourteen thousand users affected in Champaign, and almost 900 in Urbana.

According to posts on the Champaign-Urbana Reddit page, the links in the email contained hundreds of thousands of lines of entries containing data on users and restaurants. Zhang forwarded the email to a Chowbus agent, who responded that they were aware of the issue and would keep her updated.

What Zhang found even stranger, however, was that the email seemed to come from the Chowbus email server.

Gang Wang, a computer science professor at the University of Illinois at Urbana-Champaign, also confirmed that the signatures and security details of the email seemed to match that of Chowbus’s own servers. Wang, who specializes in computer security, first found out about the data leak from some of his graduate students, one of whom ran the analysis on the email.

While data leaks are “unfortunately common,” in companies and organizations of different sizes, Wang said that this particular case is a bit different.

Hackers and other external actors’ primary motivation is usually to monetize user data by selling it on the black market, he said, not publicizing the data leak to users. Other hypotheses include a disgruntled former employee trying to get revenge, but the motive remains unclear. Only further investigation by the company and law enforcement will reveal what really happened.

And although the link was quickly deactivated, Wang said that no matter how quickly data can be removed, users should always assume the data is “out,” and has been downloaded and copied. Even without the inclusion of passwords or credit card information, hackers and other nefarious actors can do a lot with “identifiable information, “including accessing existing accounts and opening new accounts.

Wang recommended the site haveibeenpwned.com as a way for users to determine whether their information has been compromised in any leaks. Users can also try to use secure passwords and enable 2-factor authentication whenever possible to try to protect themselves.

Chowbus was founded in Chicago in 2016 by Chinese-born co-founders Linxin Wen and Suyu Zhang, who wanted to make it easier for college students to order Chinese food. The company recently raised over $33 million in funding from venture capitalists, and operates in 22 cities in the U.S., including Champaign and Urbana. It has also expanded to several cities in Canada and Australia.

Chowbus Data Leak News Story