Domino's India discloses data breach after hackers sell data online

Domino's India has disclosed a data breach after a threat actor hacked their systems and sold their stolen data on a hacking forum.

In April 2021, a threat actor created a new topic on a hacking forum where they claimed to be selling 13 TB of stolen data, including details for 18 crores (180 million) orders and 1 million credit cards, from Domino's India.

The threat actor was selling the data for approximately 10 BTC, or $380,000 at today's rates, and shared samples of the database structure for the allegedly stolen data.

This month, the same threat actors launched a Tor dark web search engine that allows people to enter their phone numbers or email addresses to see if their information is exposed in the database.

Before using this search engine, it is vital to remember that the threat actor run this service. Therefore, any submitted data could be used for further malicious activity, such as phishing and smishing attacks.

Domino's India users have told BleepingComputer that they tested the search engine, and it did contain their orders and other personal information from their account.

Domino's India finally discloses a data breach

Today, Security researcher Rajshekhar Rajaharia, who has been following this breach, tweeted that Domino's India has finally begun disclosing the data breach - over a month after it was first reported.

In a short email to customers, Jubilant Networks, the master franchise owner for Domino's Pizza in India, disclosed that they were hacked on March 24th, 2021.

However, they state that the threat actor's claims to have stolen 1 million credit cards are false as they do not store any financial details of users on their site.

From the database tables and information shared with BleepingComputer by users who utilized the search engine, the data does include customers' mobile numbers, names, email addresses, and GPS coordinates.

When combined, hackers can use this information to perform further attacks, such as phishing scams and SMS messaging scams, to steal further sensitive data from those exposed in this breach.

All Domino's India customers should be on the lookout for emails and texts pretending to be from Domino's and not provide any information, such as credit cards and passwords unless you are specifically accessing the https://www.dominos.co.in/ website.