Share this analysis

Zomato, M Bet and others fall victim of data leaks.

08 November 2020
BREACHAWARE HQ
Delivery

A total of 7 breach events were found and analysed resulting in 16,937,292 exposed accounts containing a total of 6 different data types of personal datum . The breaches found publicly and freely available included Zomato, M Bet, Fancy Style, Zynga and AW Bridal. Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Categories of Personal Data Discovered

Contact Data, Technical Data, Socia-Demographic Data.

Data Breach Analysis

The affected organisations represent a striking cross-section of industries, from global online food delivery and gaming giants to niche fashion and wedding vendors. The platforms include Zomato, M Bet, Fancy Style, Zynga, and AW Bridal, among others.

What binds these seemingly unrelated companies together is the now familiar thread of public exposure. These breaches are not locked away on obscure dark web marketplaces, they are freely available, creating long-term risk even for organisations that have already remediated their original vulnerabilities. With six data types in circulation, the information is rich enough to build user profiles, carry out multi-layered attacks, and facilitate ongoing identity related abuse.

Zomato is one of the world's largest online food delivery and restaurant discovery platforms, serving tens of millions of users across India, the Middle East, Southeast Asia, and other markets. In 2017, Zomato confirmed a breach affecting over 17 million user accounts, and the appearance of its data in this more recent dump likely reflects a re-release of that dataset.

The implications are significant. Food delivery apps are tied to real-world behaviour, where users live, when they eat, what locations they frequent. Even if payment data wasn’t included, a breach of this nature paints a surprisingly detailed picture of urban lifestyles. The data can be used for:
- Credential stuffing (due to password reuse)
- Geographically targeted phishing
- Cross-referencing with social media habits

In addition, the wide reach of Zomato’s user base in emerging markets, where digital literacy and password hygiene may be inconsistent, means the long-term risks are heightened.

M Bet appears to be an online sports betting platform, likely operating in regions where regulation is either lax or ambiguous. Platforms in the gambling industry are frequently targeted by attackers due to the intersection of financial transactions, account balances, and weak regulatory oversight.

Users of gambling platforms are often reluctant to report breaches, and may use pseudonyms, yet attackers can reverse-engineer these to real identities via reused email addresses. Phishing campaigns disguised as betting promotions or fake win alerts are common follow-up threats. Moreover, breaches like this expose platform weaknesses that could eventually lead to fraud, extortion, or money laundering abuses.

Fancy Style is presumably a fashion or e-commerce brand, likely catering to boutique or regional markets. While smaller than the other organisations on the list, these types of platforms often collect the same volume of personal data as larger retailers but with weaker cybersecurity protections.

In the hands of attackers, these data points can be used to impersonate users, send highly specific phishing emails (“Your recent Fancy Style order…”), or launch refund scams. Small platforms often use third-party processors or shared CMS tools (like Magento or WooCommerce), so the breach may also reveal vulnerabilities that affect multiple other online stores built on similar infrastructure.

Zynga is one of the world’s leading casual gaming companies, best known for titles like Words With Friends, FarmVille, and Zynga Poker. In 2019, a breach involving over 170 million Zynga accounts came to light, affecting players who signed up via email (rather than third-party login services like Facebook).

The breach’s significance stems from sheer scale and ubiquity. Zynga games are installed on mobile phones worldwide, often linked to contacts, social graphs, or device-level information. Casual gamers rarely prioritise account security, and many use the same credentials across other platforms.

Although no payment data was believed to be included, the breach provides useful metadata for attackers looking to:
- Run large-scale credential stuffing attacks
- Target users across multiple games with scams or malware
- Impersonate players for social engineering (e.g., in-game fraud or chat-based deception)

AW Bridal is a vendor of affordable wedding dresses and accessories, targeting budget-conscious consumers through online sales. Any breach involving wedding-related services is inherently sensitive due to the nature of the life events involved.

Information exposed may include could be exploited in phishing scams tailored to the customer’s emotional and financial moment, “Your wedding delivery has been delayed,” for instance. They could also be used for location-based fraud or harassment, especially in scenarios involving shared devices or household members unaware of online purchases.

Furthermore, weddings often involve joint accounts or shared planning tools. If access credentials for planning platforms, payment gateways, or email accounts were reused, the risk extends into personal financial or relationship harm.

6 Data Types: A More Complete Picture

With six types of data exposed across these breaches, attackers can stitch together a full portrait of individual users. The depth and diversity of this information increases the likelihood that automated tools can match users across platforms, building composite identities even when names or emails differ. Once again, the fact that these breaches are now publicly and freely available removes any friction from the data being weaponised.

Cross-Platform Risks and Long-Term Visibility

This breach cluster serves as a stark reminder of how a small number of data points can reveal much more than expected. When attackers aggregate leaked data across different industries, delivery apps, fashion retailers, betting sites, games, and wedding vendors, they can:
- Map behaviours and timelines (e.g., wedding planning + recent clothing orders)
- Identify high-risk users (e.g., gamblers with repeated login reuse)
- Simulate identities or gain access to email, cloud storage, or banking platforms

It’s no longer about what this breach tells you, it’s about how it connects with dozens of others already in circulation. That interconnectivity is the true danger of data being so freely distributed.

Conclusion

Though the 16.9 million accounts exposed in this group may not be the largest breach on record, their diverse origins and the richness of the leaked data types make them particularly valuable to adversaries. When users span from casual gamers and shoppers to wedding planners and bettors, the fallout is not only widespread, it is unpredictable. Public availability only ensures that this fallout will continue to manifest in both small and systemic ways.

  • Key Stats
  • BREACH EVENTS
    0
  • EXPOSED ACCOUNTS
    0
  • EXPOSED DATUM TYPES
    0