FoodPapa data breach disclosed

FoodPapa, a Pakistani food-delivery app, is facing a reported breach that exposed a recent backup of customer, rider and admin data online. (cwpakistan.com) Computerworld Pakistan and TechJuice reported on April 13, 2026 that a threat actor using the handle “penguinbrew” claimed FoodPapa left a backup database accessible without access controls. The reported dump weighs 1.5 gibibytes uncompressed, with another 27 megabytes of cleaned table exports. (cwpakistan.com, techjuice.pk) The backup is dated February 1, 2026, according to both reports, which means the material was recent rather than an old archive. The published descriptions say the files covered users, delivery workers and administrative accounts. (cwpakistan.com, techjuice.pk) The reported user fields include names, phone numbers, email addresses, passwords, authentication tokens, wallet balances, loyalty points and order counts. The rider records were described as more sensitive, including identity numbers, identity images, home addresses, vehicle registration numbers, license images, earnings and payment status. (techjuice.pk, cwpakistan.com) FoodPapa’s own privacy policy says the company collects profile data such as names, emails and phone numbers, plus delivery addresses, order history, location data, device data and payment data. The policy also says FoodPapa is owned by Sheikhani Group and identifies Ali Sheikhani as chief executive officer. (foodpapa.com) FoodPapa’s privacy policy says it shares data with restaurants, delivery partners, payment service providers, information-technology and security vendors, and legal authorities when required. The same policy says the company follows “industry-standard security protocols” and may notify users by email or platform messages if it makes significant policy changes. (foodpapa.com) At the time those April 13 reports were published, FoodPapa had not publicly confirmed the breach or issued a response. That left the public account of what happened resting on the leaked files’ description and the reporting built around it. (cwpakistan.com, techjuice.pk) Pakistan still does not have a fully enacted standalone personal-data protection law, according to current legal overviews, and its main federal cybercrime statute remains the Prevention of Electronic Crimes Act, 2016. The National Cyber Crime Investigation Agency lists that law and its 2025 amendment among the country’s governing cybercrime rules. (iclg.com, nccia.gov.pk) That legal gap has kept breach response in Pakistan split between criminal-law tools and draft privacy legislation that has not yet become a full framework. In this case, the immediate exposure is simpler: a food-ordering app’s database reportedly sat open long enough for someone to copy it and post it. (recordinglaw.com, cwpakistan.com)