[HACKED?] Postmates: Customer Data for Sale on the DarkWeb?

Postmates recently relocated a lot of job of their jobs to the Nashville downtown area, as they’ve open up a corporate support office in our great city (with 11 spots still open!). Unfortunately,  we have recently discovered that Postmates Customer data is being advertised for sale on the Darkweb. This includes all account details needed to login ass a customer, and since the majority of customer’s accounts have credit cards attached to them server side, that is all you need to facilitate ordering without knowing or ever seeing the credit card information. Once you have the account username/password, no other information is needed or required to complete a purchase currently on the Postmates Platform. Postmates currently doesn’t offer any option for two factor authentication, or other method to prevent a rogue login. Also, it should be noted that if you(or anyone) is logged onto your account on the mobile app (iOS tested), changing your password on your account via the web will NOT kill their current session, and they will remain logged in (verified as of 09/11/16). At the time of publication, there doesn’t appear to be any direct way for a customer to change their registered email address, either.

postmates-darkweb-1

▒ ▒ ANYTHING YOU WANT, fDELIVERED WHEN AND WHERE YOU PLEASE ▒ IPHONES? MACBOOKS? WATCHES? PERHAPS A BOTTLE OF DOM? POSTMATES DELIVERS. ▒ GET ALL OF THESE ITEMS AND MORE WITH OUR POSTMATES ACCOUNTS! ▒ A $5 INVESTMENT FOR $1000S WORTH OF PHYSICAL ITEMS ▒ ▒ BENEFITS: ▒ • Card attached to every account? Check. ▒ • Get items easily from stores? Check. ▒ • Safer than shopping with Magstripe dumps? Check. ▒ • Delivery of your items right at your feet?? Fucking CHECK. ▒ ▒ Recommended tips for using our Postmates accounts: ▒ • Make sure Postmates is available near where you live ▒ • Never order items directly to your door ▒ ▒ Check postmates.com for more information

The listing (available on the darkweb / TOR – registration required) has been posted since September 2nd, and over the past 24 hours, we have been able to initially verity the authenticity of some of the accounts offered for sale, and purchased by a 3rd party. So how did they get this data dump? When did it happen? While we can’t say for sure, a few days before being posted for sale on the darkweb market, on August 26th, the entire Postmates ecosystem was down for around 12 hours – preventing customers, vendors, courier, and even developers from using the system. While Postmates was silent on the reasons why the downtime occurred, their competitors took advantage with targeted ad campaigns making light of their downtime, such as the email sent by Grubhub, below:

ad-grub-got-you-down

The timing between the major outage/downtime, and the appearance of the data dump for sale is suspect, at the least. Currently 5 transactions have been processed, some of which we were able to verify. The remainder have given the seller positive feedback on their results, indicating that some transactions have most likely already occurred on customer accounts, causing the buyers to leave the seller with positive ratings on the accounts purchased. The seller has a reputation of being very reliable, and has a very lengthy history of positive sales and reputation within the community, which also points to the authenticity of the data that is being advertised.

seller-positive-feedback

feedback

What can you do?

While your email address doesn’t appear to be able to be updated directly by the customer, you are able to delete your credit card information from your account. Either from within the app, or by logging on the Postmates website, clicking on your profile photo in the top right corner to access account details, and choosing to delete the payment method on file. If you are concerned, this will disassociate your credit care number with your account, so that it can’t be used, and you can re-add it at a later time. You can also reset your account password, but as of this time sessions in (at least) iOS appear to be not effected by a password change, and there is no way to remotely log out the session, at least by the customer – however with the extremely low number of compromised accounts that have been sold at the time of publication, this should not be an issue, as the chances that your account would be logged into before you changed your password are virtually zero. As Postmates allows you to deliver anything, to any address, there is currently no system in place to verify if your account orders something to an alternate address, because no addresses are verified, as that’s a feature of the service.

cc-delete

We have requested comment from Postmates press contacts, but as the time of publication have not yet hard back, nor have they made any public statement, or required any subset of users to reset their passwords that we’ve been able to gather. We will update this story as more information becomes available.

We have covered Postmates previously – see our previous stories:

Leave a Comment

Your email address will not be published. Required fields are marked *