Here’s another big news in cyber crime! Recently in a blog post, Zomato revealed that about 17 million user records from their database were stolen. The stolen information includes User IDs, Names, Usernames, Email address and hashed password of their consumers. However, the company confirmed that all the payment related information are still safe.
Zomato says over 120 million users visit their site and app every month. 60% of their users log in to Zomato via Facebook and Google account. So these users are at zero risk as Zomato do not have any passwords for these accounts. However, the rest of the users who login to Zomato directly using their Email address are at a risk and Zomato advised all these users to change their passwords immediately.
From the 17 million stolen user records, 6.6 million passwords can be decrypted using brute force algorithms. Zomato says “We take cyber security very seriously”. As a precaution the company has reset all the stolen passwords and logged out all the affected users from the website and app. So if you notice that you’re logged out of Zomato or if your existing password is not working, make sure to change the password for your safety.
In the beginning Zomato speculated that it might be an internal security breach as some of their employee’s account got compromised. But after proper investigation, they were able to make contact with the hacker and also the hacker provided the exact information of how he/she stole the data. This loophole has been plugged to prevent further data leakage.
Zomato says the hacker has been very cooperative during the investigation process and his/her key request was that Zomato should run a bug bounty program for security researchers. So Zomato will start a bug bounty program on Hackerone. Also the hacker has agreed to destroy the copies of all stolen data and take the data off from the dark web marketplace. Also Zomato confirms that the marketplace link which was used to sell the data on the Dark web is no longer available.
On the final note, the company says that the hacker has given all the information on how he/she got access to their database and they will post this information on their future blog posts once they close all the loopholes. If you are a Zomato user, feel free to contact Zomato security team at firstname.lastname@example.org
Source: Zomato blog