This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Hey You

Summary

Australian food ordering service Hey You was allegedly breached by a threat actor using the alias "Billy100," who claimed to have stolen data from over 100,000 customers and partners. The attacker posted 202,488 lines of data for sale on BreachForums on June 25, 2024, comprising two separate datasets with customer information and credentials.

What Happened

On June 25, 2024, a hacker known as "Billy100" posted on BreachForums claiming to have successfully breached Hey You's customer database. The threat actor, who had been actively selling databases almost daily since June 17, 2024, offered two datasets for sale:

  1. First dataset: 101,703 lines containing names and phone numbers
  2. Second dataset: 100,765 lines containing usernames, emails, passwords, and physical addresses

The stolen data was advertised for sale on dark web forums, making it accessible to other malicious actors. The incident was publicly reported by Cyber Daily on June 26, 2024, after the forum posts were discovered.

Hey You acknowledged awareness of the breach claim but stated they could not immediately verify the authenticity of the data. The company advised all customers to change their passwords as a precautionary measure.

Impact on Individuals

The breach exposed sensitive customer account information including:

  • Usernames and email addresses
  • Account passwords (potentially allowing account takeover)
  • Full names and phone numbers
  • Physical addresses for delivery

The combination of credentials and personal information creates multiple risks for affected customers:

  • Account takeover: Compromised passwords could enable unauthorized access to Hey You accounts and linked payment methods
  • Credential stuffing attacks: If customers reused passwords across services, attackers could access other accounts
  • Targeted phishing: Names, emails, and phone numbers enable sophisticated phishing campaigns impersonating Hey You or food delivery services
  • Social engineering: Complete profiles facilitate identity theft and fraud attempts

The inclusion of physical addresses is particularly concerning for users who ordered food for delivery, as it reveals home locations and potential patterns of when residents are typically present.

Organisational Response

Hey You acknowledged the breach claim and stated they were working to verify the accuracy of the stolen data. The company recommended that all customers immediately change their passwords as a precautionary measure, even before verification was complete.

As of the initial disclosure, there was no evidence that Hey You had formally notified the Office of the Australian Information Commissioner or that affected customers received direct notification. The lack of official confirmation and formal notification raised concerns about transparency and compliance with Australia's Notifiable Data Breaches scheme.

The company's response emphasized password resets but did not publicly detail additional security measures implemented to prevent similar breaches or protect customer accounts from unauthorized access using the stolen credentials.

[extra.impact] affected_individuals = 100765 individuals_note = "" data_volume_gb = 0 record_count = 0 financial_cost_total = 0 ransom_demanded = 0 ransom_paid = 0 estimated_remediation = 0 downtime_hours = 0 downtime_note = "" +++

Verification Source: View original statement