FoodPapa, a Pakistani food delivery platform, has allegedly had its entire database leaked on a popular cybercrime forum, with a threat actor operating under the handle penguinbrew claiming that the company left a backed-up database exposed without any access controls, allowing the data to be freely downloaded by anyone who found it. The breach, if confirmed, represents one of the more significant data security incidents to affect a Pakistani consumer technology platform in recent months, both in terms of the volume of data involved and the sensitivity of the personal information contained within it.
The leaked data is substantial in scale. The full Structured Query Language dump weighs 1.5 gigabytes uncompressed, with cleaned table exports adding a further 27 megabytes. The backup is dated February 1, 2026, indicating that the data is recent rather than archival. Both the full database and cleaned table exports covering users, delivery personnel, and administrative accounts are reportedly available for download on the forum. The user data fields exposed include first and last names, phone numbers, email addresses, profile images, phone and email verification status, passwords, authentication tokens, refresh tokens, wallet balances, loyalty points, referral codes, zone identifiers, order counts, social login identifiers, and account suspension reasons. The delivery personnel records are considerably more sensitive in nature, extending beyond digital credentials to include national identity numbers and identity type, identity images, full home addresses, father’s names, vehicle registration numbers, licence images, and even clothing details such as shirt and helmet sizes, alongside earnings data, current order counts, payment status, and termination records.
The risk profile differs meaningfully across the two exposed groups. For ordinary platform users, the most immediate concerns are phishing, SIM swap attempts, and the risk of unauthorised access to any linked payment methods given the exposure of authentication credentials and wallet information. For delivery riders, the threat is more direct: the combination of national identity documents, home addresses, and physical details creates a tangible personal safety risk that extends well beyond the digital sphere. FoodPapa had not publicly confirmed or responded to the alleged breach at the time of reporting. Some online discussion has questioned the significance of the leak based on the size of the dataset, and a number of commentators have also incorrectly conflated the brand with Foodpanda, a separate and more widely known food delivery service operating in Pakistan. Pakistani users of the FoodPapa platform are advised to change their passwords immediately, enable two-factor authentication wherever the option is available, and monitor their accounts and linked financial services for any signs of unusual activity.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
