Zomato Breach: Company to Team-up with Ethical Hacker Community

Cesar Mills
May 19, 2017

About 17 million Zomato users' records have been stolen from the company's database and is being sold in dark web.

Zomato said on its blog that data points including emails, user IDs, names, usernames, email addresses, and password hashes with "salt" were exposed in the data breach.

While he had initially put up those details up for sale on Dark Web, at an asking price of $1,001.43 (BTC 0.5587), apparently, Zomato has arrived at an agreement with the hacker wherein he has agreed to remove the ad for the sale of the data on the condition that the company initiates and maintains a bug bounty program. He/she wanted us to acknowledge security vulnerabilities in our system and...plug the gaps.

To ensure that no further damage is caused, Zomato has said it has reset the passwords for all the affected users and has logged them out of its app and website.

According to the blog post, the hacker has also agreed to take the data off the dark web and destroy all copies of the stolen information.

Kelly Olynyk, Celtics win Game 7 over Wizards: 3 takeaways
Avery Bradley did not have as much of an impact on the offensive end like he had in the previous games, scoring only nine points. They'll be looking for a similar outcome after Game 1, as they look maintain their status as the Eastern Conference's top dog.

Putin Says Trump Didn't Share Any Secrets, Offers Records to Prove It
With Trump only 8% of the way through its term, his advisors spend their days swapping rumors of mass White House firings. Asked if he had confidence in the president as he left the press conference, the House Speaker said "I do".

NHS cyber attack: A&Es 'fully open' again
They have continued to monitor updates, antivirus software, vulnerabilities on the network, and any suspicious traffic. Health Secretary Jeremy Hunt confirmed there has not been a second wave of cyber attacks on NHS trusts.

Further, so that others can learn from Zomato's mistakes, it will be posting this information on its blog once it fixes the loopholes.

This information includes email addresses and hashed passwords.

"No other information was exposed to anyone. His/her key request was that we run a healthy bug bounty program for security researchers", Zomato CTO Gunjan Patidar said in an official blogpost. However, Zomato assured people that as passwords and card details were encrypted, they were safe and not compromised.

The investigation into the breach is ongoing but users who use the same password across multiple websites and social media platforms are being advised to change their password as soon as possible. "This means your password can not be easily converted back to plain text", reads the blog post.

It added that because the passwords are hashed - converted into a meaningless string of numbers that bear no relation to the actual password - the hackers will be unable to access them. "Your payment information is absolutely safe, and there's no need to panic", Zomato said. This content is not indexed on search engines like Google, and can only be accessed using software that can route around the public internet to get there. According to the screenshots of the sale posted on HackRead, the Zomato database used a hashing technique called "MD5", which security experts say is inappropriate for encrypting passwords. Would Zomato be liable to compensate end users for loss of sensitive data?

Other reports by GizPress

Discuss This Article