FoodPapa data leak
A 1.5GB database from Pakistani delivery app FoodPapa appeared on a cybercrime forum, reportedly exposing customer names, phone numbers, emails, passwords, delivery-person details, wallet balances and auth tokens from a misconfigured backup dated February 2026. (x.com/DarkWebInformer/status/2043348996924531115). Security posts highlighted the presence of tokens and wallet fields, which raise risks of account takeover and financial fraud for users and drivers named in the leak. (x.com/DarkWebInformer/status/2043348996924531115)
A database tied to Pakistani delivery app FoodPapa appeared on a cybercrime forum this week, with reports saying it exposed customer, rider and admin records. (cwpakistan.com) TechJuice and Computerworld Pakistan reported that the dump was about 1.5 gigabytes uncompressed, with cleaned table exports adding about 27 megabytes. Both outlets said the backup was dated February 1, 2026, and was allegedly left exposed without access controls. (techjuice.pk, cwpakistan.com) The reported user fields included names, phone numbers, email addresses, passwords, wallet balances, loyalty points, authentication tokens and refresh tokens. The rider records were described as more detailed, including national identity numbers, home addresses, vehicle registration data, licence images and earnings information. (techjuice.pk, cwpakistan.com) Authentication tokens work like digital session keys that keep a user signed in after login. If valid tokens are exposed alongside passwords and wallet fields, attackers can try account takeover, fraudulent logins and payment abuse without starting from scratch. (cwpakistan.com, techjuice.pk) The exposure lands in a country that still does not have a fully enacted national personal data protection law. The International Comparative Legal Guides said Pakistan’s main dedicated data protection bill remained in draft stage in its 2025-2026 review, while DLA Piper said there is currently no general breach-reporting duty under the Prevention of Electronic Crimes Act 2016. (iclg.com, dlapiperdataprotection.com) DLA Piper’s Pakistan entry said the draft Personal Data Protection Bill 2023 would require notice to a commission within 72 hours for breaches likely to risk people’s rights and freedoms, if that bill comes into force. For now, the legal framework remains a mix of the Prevention of Electronic Crimes Act 2016 and sector-specific rules. (dlapiperdataprotection.com, iclg.com) Pakistan’s National Cyber Crime Investigation Agency says it is the government’s central body for cybercrime investigations and runs a 24-hour helpline at 1799. Its website says the agency handles hacking, fraud, digital forensics and prosecution support. (nccia.gov.pk) FoodPapa had not publicly confirmed or responded to the alleged leak in the reports published on April 13, 2026. Until the company says what was exposed and whether the tokens remain valid, the core question is whether this was an old backup left open or a live pathway into customer and rider accounts. (techjuice.pk, cwpakistan.com)
