The food and restaurant search engine company Zomato has been hacked, which resulted in 17 million user data being stolen, according to HackRead.com
The report says a vendor going by the online handle of ‘nclay’ is selling the stolen Zomato database, which includes emails and password hashes of users, in the Dark Web marketplace. The price set for the whole package is $1,001.43. The vendor also shared a trove of sample data to prove that the data is legit.
Zomato already has an existing bug bounty programme. However the security researchers and hackers who report vulnerabilities only receive Hall of Fame recognition or a certificate of acknowledgment. Also, in 2015 Zomato was hacked by an Indian ethical hacker Anand Prakash, who not only discovered a critical security flaw in Zomato’s data recall system but also informed the company about the same, says the report in HackRead.com
It was reported last year that the restaurant discovery and food ordering company caters to more than 2.7 million visitors every month in the UAE alone.
Zomato has confirmed the breach in a blogpost:
Over 120 million users visit Zomato every month. What binds all of these varied individuals is the desire to enjoy the best a city has to offer, in terms of food. When Zomato users trust us with their personal information, they naturally expect the information to be safeguarded. And that’s something we do diligently, without fail. We take cyber security very seriously – if you’ve been a regular at Zomato for years, you’d agree.
The reason you’re reading this blog post is because of a recent discovery by our security team – about 17 million user records from our database were stolen. The stolen information has user email addresses and hashed passwords.
We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text. We however, strongly advise you to change your password for any other services where you are using the same password.
Important note – payment related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault. No payment information or credit card data has been stolen/leaked.
As a precaution, we have reset the passwords for all affected users and logged them out of the app and website. Our team is actively scanning all possible breach vectors and closing any gaps in our environment. So far, it looks like an internal (human) security breach – some employee’s development account got compromised.
How can this stolen information be misused?
Since we have reset the passwords for all affected users and logged them out of the app and website, your zomato account is secure. Your credit card information on Zomato is fully secure, so there’s nothing to worry about there.
What next?
Over the next couple of days and weeks, we’ll be actively working to plug any more security gaps that we find in our systems.
- We’ll be further enhancing security measures for all user information stored within our database
- A layer of authorisation will be added for internal teams having access to this data to avoid the possibility of any human breach.
We regret any disruption this may cause and appreciate your immediate attention to this information. If you have queries/concerns, please do not hesitate to contact our security team by sending an email directly to support@zomato.com and we’ll reach out to you right away.
