Pareesa Afreen 
Nov 07, 2025
A shocking discovery has revealed that Foodpanda Pakistan may have been exposing sensitive information about its restaurant partners through an unprotected public API, raising major concerns over data privacy and governance.
The issue came to light when AI Solutions Architect Amin Ahmed Khan began building an experimental AI tool to analyse Foodpanda’s restaurant listings, including pricing, cuisines, and delivery times.
While exploring the company’s public Application Programming Interface (API), Khan uncovered an endpoint — pandora/vendors?country=pk — that reportedly required no authentication or rate limiting.
The data available via this API included geographic information for restaurant locations, types of cuisine served, delivery charges, performance measures for vendors, and paid contact information for the vendor's owners (e.g., phone numbers).
Khan wrote in a LinkedIn post that the findings weren't just a coding or data scraping venture. He highlighted that any delivery platform entering Pakistan can access this dataset and build a targeted marketing plan, without starting from scratch.
Experts say the exposure was a violation of fundamental data protection principles and typical security flaws in the API design.
Khan cautioned that these issues increase the possibility of malicious actors using vendor data and eroding trust and reputation within the emerging Pakistani food delivery industry.
Khan later published a masked dataset on Kaggle while assuring no personal data was exposed, to raise awareness, but was met with criticism for not privately contacting the vendors.
