{"id":650222,"date":"2026-05-28T15:00:19","date_gmt":"2026-05-28T13:00:19","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=650222"},"modified":"2026-05-28T15:17:24","modified_gmt":"2026-05-28T13:17:24","slug":"pick-n-pay-delivery-app-breached-and-limited-shopper-credit-card-details-leaked-online","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/650222-pick-n-pay-delivery-app-breached-and-limited-shopper-credit-card-details-leaked-online.html","title":{"rendered":"Pick n Pay delivery app breached and limited shopper credit card details leaked online"},"content":{"rendered":"\n

A threat actor has claimed to have breached the databases of Pick n Pay’s on-demand consumer goods delivery platform, Asap!, formerly known as Bottles.<\/p>\n\n\n\n

What is alleged to be private customer data has been up for sale on a dark web forum since 23 March 2026, including sensitive customer information such as full credit card details.<\/p>\n\n\n\n

Cybersecurity experts verified the authenticity of the data samples contained in the threat actor’s forum post. They told MyBroadband that the breach may have occurred some time ago.<\/p>\n\n\n\n

Pick n Pay online executive Enrico Ferigolli confirmed to MyBroadband that the breach was legitimate and that it affected private customer information from 2022. <\/p>\n\n\n\n

“We have had a data breach involving customer information from 2022 linked to an older version of our on-demand platform, first known as Bottles and later as Pick n Pay Asap!,” he said. <\/p>\n\n\n\n

Ferigolli said the version of the Asap! platform affected by the breach was replaced in 2025, and the new platform was a completely separate system for which customers had to re-register.<\/p>\n\n\n\n

“Asap! operates on a new and separate infrastructure from the decommissioned infrastructure, and as part of this, we have already completely overhauled our approach to data security.” <\/p>\n\n\n\n

However, users who had registered on Asap! or Bottles before 2022 may still have been affected by the breach, and their data is being sold online. <\/p>\n\n\n\n

The retailer said that the datasets included customer names, email addresses, mobile numbers, dates of birth, delivery addresses, Smart Shopper numbers and encrypted passwords.<\/p>\n\n\n\n

“It also includes the type of credit card, the last four digits of the credit card number and an expiry date. It does not include full credit card numbers or CVV security codes.” <\/p>\n\n\n\n

This contradicted the hacker’s claims, which advertised that CVV numbers were included in the data and specifically mentioned that full card details were exposed.<\/p>\n\n\n\n

Pick n Pay said it was sending out notifications to all customers who were registered on the Bottles platform at the end of 2022 to inform them about the potential information exposure.<\/p>\n\n\n\n

Old Pick n Pay Asap! database exposed<\/h2>\n\n\n\n
\"\"\n\t\t\t\n\t\t\t\t\n\t\t\t<\/svg>\n\t\t<\/button>
Breach Forums post selling Pick n Pay Bottles database<\/figcaption><\/figure>\n\n\n\n

Based on the threat actor’s forum post, the stolen data comprised a user.sql and user_history_addresses.sql file obtained from an undisclosed location.<\/p>\n\n\n\n

Data from the app is being sold for the equivalent of R37,600, or R163,500 for exclusive access to the entire database. The seller is accepting payment in Bitcoin or Ethereum.<\/p>\n\n\n\n

Pick n Pay purchased the Bottles delivery service in 2020<\/a>, which, at the time, was South Africa’s first on-demand liquor delivery platform.<\/p>\n\n\n\n

The retailer repurposed the Bottles app to include on-demand groceries amid the initial pandemic lockdown in South Africa through a service called Grocery Essentials.<\/p>\n\n\n\n

Pick n Pay officially rebranded the platform in August 2021 to compete with the growing popularity of Checkers Sixty60.<\/p>\n\n\n\n

The dark web forum post claimed that the database contained 639MB of user information, including names, usernames, email addresses, mobile numbers, and passwords.<\/p>\n\n\n\n

Samples also appear to contain private information from Pick n Pay employees and vendors that sold their products on Bottles and the Asap! platform.<\/p>\n\n\n\n

Alongside the threat of card data theft, there is a significant risk of spear-phishing attacks using the data that is up for sale.<\/p>\n\n\n\n

Cybercriminals can run targeted campaigns using specific user information, such as physical addresses and email addresses, crafting convincing fraudulent messages to facilitate further theft.<\/p>\n\n\n\n

The SpendTrend26 South African Consumer Survey conducted by Discovery Bank and Visa found that courier and delivery scams were the most common form of fraud in South Africa.<\/p>\n\n\n\n

These phishing scams can be even more effective when they use information such as physical addresses to convince victims they are communicating with company representatives.<\/p>\n\n\n\n

“We are taking this extremely seriously, and our immediate priority is ensuring customers have clear information about what has happened,” said Ferigolli. <\/p>\n\n\n\n

“At this stage, the forensic investigation is ongoing, and we are still working to determine the source, but there is no evidence of unauthorised access to the decommissioned platform.”<\/p>\n\n\n\n

Pick n Pay assured customers that no full payment information was exposed, despite what the hacker claimed, and that the data could not be used to process fraudulent card transactions directly.<\/p>\n\n\n\n

“But other personal data from four years ago was indeed exposed, and for that we are truly sorry,” said Ferigolli.<\/p>\n\n\n\n

\n\n\n\n

More samples from the alleged Pick n Pay delivery app breach<\/h2>\n\n\n\n
\"\"\n\t\t\t\n\t\t\t\t\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n
\"\"\n\t\t\t\n\t\t\t\t\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n
\"\"\n\t\t\t\n\t\t\t\t\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n
\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Pick n Pay has confirmed that a version of its Asap! on-demand delivery platform was breached and customer card details are now being sold online. <\/p>\n","protected":false},"author":341213,"featured_media":640673,"comment_status":"open","ping_status":"closed","sticky":true,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[105533,80068,75762,1441,105534,105531,5380,105532],"class_list":["post-650222","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-asap","tag-breached-forums","tag-claim-expert","tag-cybercrime","tag-delivery-platform","tag-hacker-forums","tag-pick-n-pay","tag-pick-n-pay-bottles"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/650222"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/341213"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=650222"}],"version-history":[{"count":18,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/650222\/revisions"}],"predecessor-version":[{"id":650632,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/650222\/revisions\/650632"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/640673"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=650222"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=650222"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=650222"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}