Zomato hacked: 17 million customer data stolen
Restaurant and food delivery app Zomato advises customers to change their login details
Restaurant and food delivery app Zomato has fallen victim to a security breach resulting in 17 million user records of personal data being stolen.
Zomato revealed that despite 17 million users being affected, it assured that financial and personal information remains safe. Furthermore, as passwords were hashed they cannot be decrypted, however Zomato still advises users to change to their login details.
In a statement, Zomato said: "We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text. We however, strongly advise you to change your password for any other services where you are using the same password."
The company also stressed that no payment had been stolen: "Important note - payment related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault. No payment information or credit card data has been stolen/leaked."
Initially Zomato believed the hack was due to an ‘internal (human) security breach - some employee's development account got compromised,' the statement revealed.
However Zomato was contacted by the hacker who provided details on how the data was stolen and details of how the personal data was being auctioned on the dark web.
Since then, Zomato released an updated statement with positive news. It said: "The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers.
"We are introducing a bug bounty program on Hackerone very soon. With that assurance, the hacker has in turn agreed to destroy all copies of the stolen data and take the data off the dark web marketplace. The marketplace link which was being used to sell the data on the dark web is no longer available."