17 million accounts' hashed passwords, emails stolen, Zomato says
Friday, May 19, 2017
Yesterday, Zomato, a food ordering and restaurant finding company, announced security breach of more than 17 million accounts, via their official blog. A hacker operating under the alias nclay uploaded evidence to prove they had the stolen data — hashed passwords and emails — for sale, Hackread.com reported. Zomato later announced they contacted the hacker, who asked Zomato to organise a bug bounty programme.
The food ordering company, with 120 million monthly users, said the payment information of the users was not located with this data and was not leaked. Zomato said it uses PCI Data Security Standards.
As a security measure, all the passwords of the involved Zomato accounts were reset and all of the accounts were forcibly logged out from the application and website. The company said only hashed passwords were compromised.
Hashed passwords are encrypted and, per Zomato, every password had a different "salt", for cryptographic salting was performed before hashing the original password. A "salt" is a random set of characters added before encryption to make decryption to obtain the original passkey more difficult.
The hashed password itself can not be used to access the account. In the blog post before contacting the hacker, saying "internal (human) security breach", Zomato suggested this could have happened after a worker's development account was hijacked. After contacting the hacker, and promising a bug bounty programme on Hackerone, they said, the hacker agreed and removed the stolen data which was put on sale on the dark web. Zomato said they are looking forward to working closely with the ethical hacker community on security vulnerabilities.
Sources
- Anu Thomas. "Zomato: Zomato hacked - Security breach results in 17 million user data stolen" — Economic Times, May 19, 2017
- "Zomato says 17 mn user records stolen" — The Hindu Business Line, May 18, 2017
- Gunjan Patidar. "Security Notice" — Zomato, May 18, 2017
- Gunjan Patidar. "Security Notice" — Zomato, May 18, 2017