Share this article on:
Hacker claims to have the details of more than 100,000 Hey You customers and partners, including emails and passwords.
A hacker is claiming to have the data of more than 100,000 customers of the order-ahead app Hey You and is offering the information for sale on a popular hacking forum.
The post, titled “AUSTRALIA ORDERING DATABASE / heyyou.com.au / 202,488 lines”, was made on 25 June by someone calling themselves Billy100.
The data is split over two sets, with the first containing names and phone numbers and the second containing usernames, emails, passwords, and addresses. The sample data suggests that while there are 202,488 lines of information, each person is represented in both lists.
The first list has 101,703 lines, and the second 100,765 lines, so the lists don’t exactly match. Nonetheless, the emails in the second list of samples match the names of those in the first sample set. The discrepancy in numbers appears to be because the second list also includes businesses that partner with Hey You, using a heyyou.com.au email address.
While many of the emails appear listed in previous breaches on haveibeenpwned.com, several emails are unique to this apparent data breach. Most of the emails appear to be personal ones, but some are company addresses.
The passwords are hashed using the SHA-1 hash function, though some of the hashes appear to have been previously cracked.
Billy100 has been busy this month, having posted databases for sale nearly every day since 17 June. The hacker – who could just be a data broker – has sold data belonging to the Panamanian government, Satu Data Indonesia, and India’s eMigrate emigration system.
Hey You has told Cyber Daily it is aware of the post, and is working on verifying the accuracy of the data.
"We have been made aware of a post circulating on the dark web in the last few hours claiming access to personal information of Hey You customers. At this time, we cannot verify the authenticity of this claim. As a precautionary measure, we recommend all of our customers change their passwords immediately," a Hey You spokesperson told Cyber Daily.
"Please be assured that Hey You has strict data and privacy measures in place. These measures ensure that your personal information and any payment details stored on your Hey You account remains secure and inaccessible to unauthorised individuals.
"The Hey You team have informed the authorities and are actively investigating this matter, and we will provide updates as soon as we have more information."
Hey You is available at cafes and restaurants in Sydney, Melbourne, Brisbane, and Perth.
UPDATED 27/06/24 to add commentary from Hey You.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.