Zomato’s been embroiled in a major controversy over the past few days after it was discovered that 17 million user accounts had been stolen from its database and were for sale on the dark web. The company has since gotten in touch with the hacker and reached an agreement with them.
The security breach first came to light on May 17 via HackRead. Zomato confirmed the attack on its blog the next day. Out of the 17 million user records stolen, 6.6 million users had password hashes which can be decrypted using brute force algorithms. It’s now in the process of asking those affected to change their password on other platforms where they utilized the same code.
As for the rest, Zomato claims their data is safe since 60% of its consumer base utilize third-party services like Google and Facebook to sign in. The brand doesn’t have passwords for those particular accounts. Still, it would be best to change the key as an extra precaution.
Zomato claims the passwords in the theft are hashed and cannot be converted back to plain text easily. It’s also stressing that payments related information is stored separately and has not been leaked. The hacker behind the breach has now agreed to destroy the data stolen and take off the listing from the dark web.
Zomato apparently had surprisingly cooperative talks with them. They supposedly just wanted the firm to acknowledge the security vulnerabilities in its system and work with the ethical hacker community to close the gaps. The attacker also wanted it to run a healthy bug bounty program for security researchers.
Zomato has agreed to this, pledging to open a bug bounty program on Hackerone soon. It notably already has one on the platform, but doesn’t offer any monetary incentives. This could change now that it’s flaws have gotten highlighted in such a public fashion.