23 July 2021
KVKK started an investigation on Yemeksepeti - ShiftDelete.Net

KVKK started an investigation on Yemeksepeti – ShiftDelete.Net

In 2001, it started to provide food ordering service online. Food basketAccording to the company’s statement, on March 25, 2021 hacked. Two days later, a part of the database containing user information was seized, according to the statement on Twitter.

Regarding the theft of information, it was also explained what types of data were stolen. In addition, all users were informed via e-mail. The Personal Data Protection Board announced its first concrete step.

KVKK launches investigation for hacked Yemeksepeti

It became official a few days ago that Yemeksepeti, which has been on the agenda with crash problems recently, was hacked. Located in the company’s database Name, surname, date of birth, registered phone numbers, e-mail addresses, registered home / work address and users’ data encrypted with the SHA-256 algorithm were stolen.

yemeksepeti was hacked

Personal Data Protection Authorityrelated to the incident of data breach He started an investigation for Yemeksepeti. explained. The statement made by KVKK is as follows:

As it is known, clause (5) of Article 12 titled “Obligations regarding data security” of the Personal Data Protection Law No.6698, “In case the processed personal data is obtained by others illegally, the data controller shall notify the relevant person and the Board as soon as possible. The Board, if necessary, may announce this on its website or by any other method it deems appropriate. ” the judgment is the supervisor.

In the personal data breach notification sent to the Authority by Yemek Sepeti Elektronik İletişim Perakende Gıda Lojistik A.Ş.

  • A web application server of the Yemek Cart was accessed by the person or persons whose identity could not be determined by the data controller on 18.03.2021,
  • Under normal circumstances, when there is an unauthorized access, a problem has been recorded on the vehicle that warns, but the unauthorized access cannot be noticed at that moment due to a malfunction,
  • When the alarms on 25.03.2021 are examined, a suspicious behavior is detected,
  • There is an opening on a web application server belonging to the lunch box, using this opening, the application is installed and the server can be accessed by running the command,
  • By creating a user on the server by the attackers, data is tried to be collected and traffic is sent to remote servers,
  • 21.504.083 people were affected by the violation,
  • It is evaluated that the personal data affected by the breach are partially determined by the data controller and that the data in question are user name, address, telephone, e-mail, password, IP information,
  • It is stated that credit card or financial data are not affected, that the credit card storage service is provided by Mastercard, independent of the data controller,
  • Related persons regarding the violation [email protected] can receive information via e-mail address,


Although the investigation on the subject continues, it has been decided to announce the aforementioned data breach notification on the website of the Authority with the decision of the Personal Data Protection Board dated 29.03.2021 and numbered 2021/321.

It is respectfully announced to the public.

Leave a Reply

Your email address will not be published. Required fields are marked *