Another day, another holy sh*t I need to change my password reminder.
The popular restaurant app Zomato fell victim to hackers last weekend with millions of users (17 million to be more specific) having information stolen from the food-focused service. The theft was addressed on Zomato’s website outlining details of the security breach:
The reason you’re reading this blog post is because of a recent discovery by our security team – about 17 million user records from our database were stolen. The stolen information has user email addresses and hashed passwords.
We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text. We however, strongly advise you to change your password for any other services where you are using the same password.
According to Zomato, “6.6 million users had password hashes in the ‘leaked’ data, which can be theoretically decrypted using brute force algorithms.” Zomato wound up in contact with the unidentified hacker/s over the plucked information. They say their interaction with the party that stole the data has actually been remarkably positive. Not only has the information been pulled off the deep web, but the whole affair is being presented as something along the lines of a teachable moment.
The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers.
We are introducing a bug bounty program on Hackerone very soon. With that assurance, the hacker has in turn agreed to destroy all copies of the stolen data and take the data off the dark web marketplace. The marketplace link which was being used to sell the data on the dark web is no longer available.
Zomato is vowing to amp up their security measures to be avoid these vulnerabilities in the future, including using the information the hacker provided on how they cracked Zomato’s defenses.