The restaurant discovery service and the food ordering platform Zomato was hacked with a security breach leading to the stealing of user details of about 17 million accounts. The hacker who could get into it and steal the data had put up the data for sale in the dark web marketplace.
The user named “nclay” on the dark web was asking about a thousand dollars to share the information of 17 million users but Zomato has been closely keeping in touch with the hacker and has made him agree to delete all the records and take the sale off the marketplace.
Zomato’s blog read:
The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers.
We are introducing a bug bounty program on Hackerone very soon. With that assurance, the hacker has in turn agreed to destroy all copies of the stolen data and take the data off the dark web marketplace. The marketplace link which was being used to sell the data on the dark web is no longer available.
Even though the hacker has agreed with deletion of the data, it still poses a security error and Zomato is going to reach the users to notify about the security and urge them to change their account passwords.
We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text. We however, strongly advise you to change your password for any other services where you are using the same password.
Important note – payment related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault. No payment information or credit card data has been stolen/leaked.
Since this was a hacker from an ethical group that checks for any loopholes, they shared what exactly was done to steal the data and the Zomato team has plugged that loophole to prevent any further breaches. This isn’t the first time though, as previously, an Indian hacker named Anand Prakash had hacked into the database to show the flaws and that was acknowledged by Zomato, with the measures taken to seal the loophole.
What should you do as a user?
- Reset the password of your Zomato account – the first step to do. Have a harder password and not one that is easy to guess. If you cannot login to your account, choose the Recovery option.
- Verify your account details – Since the details were compromised, there are chances that some of the details could have got changed if someone got access to the account logins. You need to check all the details of the account and verify if everything is fine.
- De-authorize and re-authorize login from social accounts – Some of the users who had registered with their social media accounts will have to de-authorize it once before re-authorizing it again.
Finally, share this news with fellow Zomato users so that they can be aware and take the security steps to keep the account safe.