Hard to swallow: 17m user details stolen in Zomato security breach

19 May 2017

Image: Daxiao Productions/Shutterstock

Zomato has become the latest victim of a massive cyberattack.

Restaurant search and food delivery service Zomato has been hacked, with the user details of 17m users stolen.

This information includes email addresses and hashed passwords.

‘We are going to be cautious and paranoid, as this is a sensitive matter’

Future Human

Zomato, which claims to have 120m monthly users, said that no financial information or other details were accessed by the hackers.

It added that because the passwords are hashed – converted into a meaningless string of numbers that bear no relation to the actual password – the hackers will be unable to access them.

A hacker by the name of Nclay has claimed responsibility for the cyberattack, and was willing to sell data belonging to 17m registered users on a dark web marketplace for more than $1,000.

An interesting deal has been brokered

Zomato said that no money has passed hands and that it has been in communication with the hacker.

“Earlier today, our security team discovered that user emails and hashed passwords were stolen from our database. Since then, we have taken multiple steps to mitigate the situation. One of these steps was to open a line of communication with the hacker, who had put the user data up for sale.

“The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers.

“We are introducing a bug bounty program on HackerOne very soon. With that assurance, the hacker has in turn agreed to destroy all copies of the stolen data and take the data off the dark web marketplace. The marketplace link, which was being used to sell the data on the dark web, is no longer available.”

Despite this rather civilised turn of events, Zomato is not out of the woods.

“We are going to be cautious and paranoid, as this is a sensitive matter. 6.6m users had password hashes in the ‘leaked’ data, which can be theoretically decrypted using brute force algorithms. We will be reaching out to these users to get them to update their password on all services where they might have used the same password.

“Please note that only five data points were exposed – user IDs, names, usernames, email addresses and password hashes with salt. No other information was exposed to anyone (we have a copy of the ‘leaked’ database with us). Your payment information is absolutely safe and there’s no need to panic,” Zomato said in a statement.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years