GonnaOrder Data Leak Exposes Customer Information Across Europe
A misconfigured system on the food delivery platform GonnaOrder left sensitive customer data exposed for nearly two years, potentially compromising the personal details of millions of users. The issue stemmed from an improperly secured Kafka Broker instance, which streamed real-time order data without authentication.
The Cybernews research team discovered the breach and monitored the leak for just one hour, during which they observed over 2,000 unique customers’ data being exposed. Based on indexing records from an IoT search engine, the researchers estimate that the system was left open since August 2022.
“Throughout the whole time the exposed instance was open, malicious actors could have obtained millions of customers’ data,”
the researchers said.
The vulnerable system was finally secured on May 27, 2025, after repeated outreach attempts by the researchers.
What Type of Data Was Leaked by GonnaOrder?
The Kafka instance leaked real-time data from customer orders placed through GonnaOrder’s platform. This included transactions from restaurants, bars, hotels, and small shops, mostly located in the UK, Belgium, Greece, Germany, and the Netherlands.
Details exposed in the leak include:
- Full customer names
- Phone numbers and email addresses
- Home addresses
- Delivery notes, which sometimes included building access codes
- Order details
- Merchant names (restaurants, hotels, and shops)
- Payment methods used
Kafka is a tool meant for transmitting data between systems in real time. It is not designed for secure long-term storage. However, researchers warn that persistent attackers could set up automated tools to scrape such exposed data over extended periods. This means the total volume of compromised information could be far greater than what was captured in the one-hour observation window.
Timeline of the GonnaOrder Leak
- Leak discovered: March 26, 2025
- Initial disclosure to GonnaOrder: April 2, 2025
- National CERT notified: April 9, 2025
- Instance secured by GonnaOrder: May 27, 2025
As of now, GonnaOrder has not issued a public statement or disclosed how many users were affected. Cybernews has reached out to the company for comment and is awaiting a response.
Potential Risks of the Data Exposure
The type of data leaked opens customers up to identity theft and other forms of cybercrime. Delivery notes and building codes can also pose a physical security risk if exploited for unauthorized access or burglary.
“Order details can often contain private info such as access codes to enter the building,”
the researchers warned.
The exposed information may also end up being sold on dark web marketplaces, making it available for use in social engineering scams, fraud, and phishing campaigns.
