Zomato, M Bet and others fall victim of data leaks.
08 November 2020BREACHAWARE HQ
A total of 7 breach events
were found and analysed resulting in 16,937,292 exposed accounts
containing a total of 6 different data types of personal datum
. The breaches found publicly and freely available included Zomato, M Bet, Fancy Style, Zynga and AW Bridal. Sign in to view the full
library of breach events which includes, where available, reference articles relating to
each breach.
Categories of Personal Data Discovered
Contact Data, Technical Data, Socia-Demographic Data.
Data Breach Analysis
The affected organisations represent a striking cross-section of industries, from global online food delivery and gaming giants to niche fashion and wedding vendors. The platforms include Zomato, M Bet, Fancy Style, Zynga, and AW Bridal, among others.What binds these seemingly unrelated companies together is the now familiar thread of public exposure. These breaches are not locked away on obscure dark web marketplaces, they are freely available, creating long-term risk even for organisations that have already remediated their original vulnerabilities. With six data types in circulation, the information is rich enough to build user profiles, carry out multi-layered attacks, and facilitate ongoing identity related abuse.
Zomato is one of the world's largest online food delivery and restaurant discovery platforms, serving tens of millions of users across India, the Middle East, Southeast Asia, and other markets. In 2017, Zomato confirmed a breach affecting over 17 million user accounts, and the appearance of its data in this more recent dump likely reflects a re-release of that dataset.
The implications are significant. Food delivery apps are tied to real-world behaviour, where users live, when they eat, what locations they frequent. Even if payment data wasn’t included, a breach of this nature paints a surprisingly detailed picture of urban lifestyles. The data can be used for:
- Credential stuffing (due to password reuse)
- Geographically targeted phishing
- Cross-referencing with social media habits
In addition, the wide reach of Zomato’s user base in emerging markets, where digital literacy and password hygiene may be inconsistent, means the long-term risks are heightened.
M Bet appears to be an online sports betting platform, likely operating in regions where regulation is either lax or ambiguous. Platforms in the gambling industry are frequently targeted by attackers due to the intersection of financial transactions, account balances, and weak regulatory oversight.
Users of gambling platforms are often reluctant to report breaches, and may use pseudonyms, yet attackers can reverse-engineer these to real identities via reused email addresses. Phishing campaigns disguised as betting promotions or fake win alerts are common follow-up threats. Moreover, breaches like this expose platform weaknesses that could eventually lead to fraud, extortion, or money laundering abuses.
Fancy Style is presumably a fashion or e-commerce brand, likely catering to boutique or regional markets. While smaller than the other organisations on the list, these types of platforms often collect the same volume of personal data as larger retailers but with weaker cybersecurity protections.
In the hands of attackers, these data points can be used to impersonate users, send highly specific phishing emails (“Your recent Fancy Style order…”), or launch refund scams. Small platforms often use third-party processors or shared CMS tools (like Magento or WooCommerce), so the breach may also reveal vulnerabilities that affect multiple other online stores built on similar infrastructure.
Zynga is one of the world’s leading casual gaming companies, best known for titles like Words With Friends, FarmVille, and Zynga Poker. In 2019, a breach involving over 170 million Zynga accounts came to light, affecting players who signed up via email (rather than third-party login services like Facebook).
The breach’s significance stems from sheer scale and ubiquity. Zynga games are installed on mobile phones worldwide, often linked to contacts, social graphs, or device-level information. Casual gamers rarely prioritise account security, and many use the same credentials across other platforms.
Although no payment data was believed to be included, the breach provides useful metadata for attackers looking to:
- Run large-scale credential stuffing attacks
- Target users across multiple games with scams or malware
- Impersonate players for social engineering (e.g., in-game fraud or chat-based deception)
AW Bridal is a vendor of affordable wedding dresses and accessories, targeting budget-conscious consumers through online sales. Any breach involving wedding-related services is inherently sensitive due to the nature of the life events involved.
Information exposed may include could be exploited in phishing scams tailored to the customer’s emotional and financial moment, “Your wedding delivery has been delayed,” for instance. They could also be used for location-based fraud or harassment, especially in scenarios involving shared devices or household members unaware of online purchases.
Furthermore, weddings often involve joint accounts or shared planning tools. If access credentials for planning platforms, payment gateways, or email accounts were reused, the risk extends into personal financial or relationship harm.
6 Data Types: A More Complete Picture
With six types of data exposed across these breaches, attackers can stitch together a full portrait of individual users. The depth and diversity of this information increases the likelihood that automated tools can match users across platforms, building composite identities even when names or emails differ. Once again, the fact that these breaches are now publicly and freely available removes any friction from the data being weaponised.Cross-Platform Risks and Long-Term Visibility
This breach cluster serves as a stark reminder of how a small number of data points can reveal much more than expected. When attackers aggregate leaked data across different industries, delivery apps, fashion retailers, betting sites, games, and wedding vendors, they can:- Map behaviours and timelines (e.g., wedding planning + recent clothing orders)
- Identify high-risk users (e.g., gamblers with repeated login reuse)
- Simulate identities or gain access to email, cloud storage, or banking platforms
It’s no longer about what this breach tells you, it’s about how it connects with dozens of others already in circulation. That interconnectivity is the true danger of data being so freely distributed.