Foodpanda Pakistan Under Fire for Allegedly Exposing Restaurant Data via Unsecured API

In a shocking revelation, Foodpanda Pakistan has come under scrutiny for allegedly exposing private data of around 16,000 partner restaurants and businesses through an unsecured API endpoint. Cybersecurity experts claim that the flaw allowed unauthorized access to sensitive business details, including names, addresses, and operational data. The issue, discovered by a software architect on LinkedIn experimenting with the platform’s data, revealed that sensitive vendor information, including names, trade registration numbers, and contact details, was openly available without any authentication or rate limiting.

The exposed data was found within the Pandora/vendors?country=pk endpoint, which provides public access to a wide range of details, including vendor names, phone numbers, and business registration data. Screenshots shared by the researcher showed that the API returned complete vendor profiles, including personal identifiers, along with other operational data like cuisine types, delivery charges, and performance metrics.

“This isn’t about hacking—it’s about neglect,” the researcher stated, criticizing Foodpanda’s parent company, Delivery Hero, for overlooking basic data protection protocols while focusing heavily on AI-driven business transformation. He emphasized that server teams must be fully aware of what data is exposed and for what purpose, calling it a fundamental aspect of secure data design.

Cybersecurity experts warn that such vulnerabilities could be exploited by competitors or malicious actors to extract vendor information for targeted marketing or phishing attempts. The exposed API could even allow startups to build competitor databases effortlessly.

As of now, Foodpanda Pakistan and Delivery Hero have not issued an official statement regarding the leak. However, the incident underscores the growing tension between digital innovation and cybersecurity hygiene in the global food delivery industry.

The researcher has also compiled and published a dataset on Kaggle for transparency and further analysis, urging companies to take data governance more seriously in the age of open APIs.

Also read:

How to Stay Safe as WhatsApp Hacking Surges in Pakistan?