Foodpanda Pakistan is facing serious backlash after reports confirmed that a publicly accessible API exposed sensitive details of restaurant owners across the country. The leak, discovered by a local software architect, revealed that one of Foodpanda vendor endpoints was left completely unsecured — requiring no authentication, no authorization, and no rate limiting — effectively placing thousands of partner restaurants’ private data in the open.
The exposed information reportedly included restaurant owner names, personal phone numbers, business addresses, coordinates, internal vendor IDs, delivery settings, menu categories, and other operational metrics. In some cases, the data also revealed performance details, pricing structures, and backend attributes normally meant only for internal systems.
According to the researcher who uncovered the issue, the API endpoint returned complete vendor datasets instantly and without any restrictions. This means anyone — from competitors to malicious actors — could harvest the data at scale. For an industry dependent on B2B trust, this kind of exposure is a major breach of privacy and security norms.
The implications are severe. Restaurant owners could be targeted with spam, scam calls, phishing attempts, or even harassment, given that their personal mobile numbers and identities were exposed. Competitors could also exploit the data to recruit restaurants or gain unfair market insights based on Foodpanda’s operational metrics. For small businesses that rely heavily on food-delivery platforms, such exposure translates directly into commercial vulnerability.
Cybersecurity experts warn that this incident highlights a recurring issue within fast-growing digital service platforms: scaling their operations rapidly without investing proportionally in secure API design. An unauthenticated public endpoint returning sensitive vendor data is considered a fundamental security violation — something that should never happen in a production environment.
Foodpanda has not yet issued a detailed public explanation, but internal responses shared by the affected researcher suggest the company is investigating the incident and attempting to assess which parts of the exposed data “should not” have been publicly accessible. There has been no confirmed statement about how long the API was exposed or how many vendors were affected.
The data leak also intensifies ongoing discussions around Pakistan’s lack of strict data-protection enforcement. While consumer data was not part of this breach, the incident shows how vulnerable the ecosystem is when platform operators fail to implement basic safeguards. Industry analysts warn that such gaps erode trust and could push restaurant partners to demand stricter oversight and transparency from major delivery platforms operating in the country.
Going forward, experts say Foodpanda must take immediate action:
- Audit all backend endpoints and remove any unauthenticated public access.
- Implement authentication, rate limiting, and proper access control layers across APIs.
- Notify all affected restaurant partners about what information was exposed.
- Establish a public vulnerability disclosure process so researchers can report issues responsibly.
- Reassure vendors with a clear remediation plan and future prevention strategy.
The Foodpanda Pakistan data leak serves as a major warning for Pakistan’s digital services sector. As more businesses depend on app-based platforms for survival, the responsibility to safeguard partner data becomes non-negotiable. This incident exposes how easily weak API security can compromise thousands of businesses — and how urgently the industry needs stronger data-protection practices.
