Zomato says it fixed data breach; loopholes in its encryption methods

Zomato says it fixed data breach; loopholes in its encryption methods

Zomato says it fixed data breach; loopholes in its encryption methods

Following the events, Zomato is going to announce a bug bounty program on Hackerone.

The India-based company said on Thursday that it recently discovered that around 17 million user records - including email addresses and hashed passwords - had been stolen from its database. "Payment related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault", the company wrote in a blog post.

According to the blog post, the hacker has also agreed to take the data off the dark web and destroy all copies of the stolen information.

A hacker by the name of Nclay has claimed responsibility for the cyberattack, and was willing to sell data belonging to 17m registered users on a dark web marketplace for more than $1,000.

"Technically what they are saying is correct, i.e. a hashed password can not be decrypted, but what they aren't saying is - it is technically possible to break the hashing algorithm to guess the passwords". "This means your password can not be easily converted back to plain text. The marketplace link which was being used to sell the data on the dark web is no longer available".

Zomato says that it will be reaching out to these users and will get them to update their passwords on all services where they may have used the same password.

Zomato, which claims to have 120m monthly users, said that no financial information or other details were accessed by the hackers. The compromised data did not include critical payment information. According to the screenshots of the sale posted on HackRead, the Zomato database used a hashing technique called "MD5", which security experts say is inappropriate for encrypting passwords.

What should you do as a user?

If you can not login to your account, choose the Recovery option.

Verify your account details - Since the details were compromised, there are chances that some of the details could have got changed if someone got access to the account logins.

Later, however, the firm said that 60 per cent of its users use third-party OAuth services - or, log in using their Google and Facebook accounts - and noted that these users are at "zero risk".

All the stolen information was put up for sale - as is usually the practice when someone seals a large number of user account information - however, our thief turned to be out with some noble motives.