Zomato Breach Exposes 17 Million Users

Written by

Some 17 million users are said to have been affected after restaurant search platform Zomato was breached this week.

In a security update outlining what happened, the firm’s chief technologist, Gunjan Patidar, said the stolen information included user IDs, names, usernames, email addresses and password hashes with salt.

No financial information was compromised, the firm said.

“We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password,” he explained. “This means your password cannot be easily converted back to plain text. We however strongly advise you to change your password for any other services where you are using the same password.”

All passwords were immediately reset and users locked out of their accounts and forced to log back in following the incident. In addition, the firm claimed that 60% of its user base actually logs in via OAuth services, using Google and Facebook and the like – so their passwords are safe.

In a bizarre update to the update, Punditar claimed to have managed to contact the hacker who breached the site.

“The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers,” he said.

“We are introducing a bug bounty program on Hackerone very soon. With that assurance, the hacker has in turn agreed to destroy all copies of the stolen data and take the data off the dark web marketplace. The marketplace link which was being used to sell the data on the dark web is no longer available.”

As a precaution, Zomato said it would be urging its 6.6 million users with exposed passwords to change them on other services they may have also used them to access.

Andre Stewart, VP EMEA at Netskope, warned that data breaches of this sort can often create a dangerous domino effect of further breaches.

“When the same credentials are used across multiple accounts, one breach can make data vulnerable across many different cloud apps and services at the same time, creating significant risks to the enterprise. A year from now, this type of hack will create even more complications by exposing the company to huge fines under the GDPR”, he added.

“Wherever possible, organizations must educate end users on basic cyber hygiene and build awareness around the appropriate safe courses of action. Keeping an eye out for unusual behaviour or usage patterns will also help security teams to keep data-hungry criminals at bay.”

What’s hot on Infosecurity Magazine?