In an online blog post on Wednesday, the Bengaluru-based company said the “servers of a third party we work with were compromised.”
This allowed the attacker to get unauthorized access and breach the company’s database, which included phone numbers, email addresses, the users’ last known location, phone type, and last login dates.
The company added that no payment information like credit card numbers was compromised as it does not store this data on its servers.
Dunzo offers services in several Indian cities, including Bengaluru, Delhi, Gurugram, Pune, Chennai, Jaipur, Mumbai and Hyderabad.
The breach was first reported on July 11, but the company had not disclosed the extent of the compromise. Since then the company said it has reviewed all the third-party plugins and integration.
The leaked information has now been uploaded on the website haveibeenpwned.com, an online resource which helps the public find whether their data has been compromised.