India’s largest-restaurant guide Zomato appears to have suffered a major security breach. According to a report in security blog HackRead, “A vendor going by the online handle of ‘nclay’ is claiming to have hacked Zomato and selling the data of its 17 million registered users on a popular Dark Web marketplace.”
The company too has admitted the major security lapse in a blog post. “The reason you’re reading this blog post is because of a recent discovery by our security team — about 17 million user records from our database were stolen. The stolen information has user email addresses and hashed passwords,” said the company in the post. The company has total 120 million users.
The company, however, claimed that the data is safe. “The hashed password cannot be converted/decrypted back to plain text – so the sanctity of your password is intact in case you use the same password for other services,” adds Zomato’s blog post.
It also assured users that the “payment-related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault. No payment information or credit card data has been stolen/leaked.”
Zomato further added that on its part, it has reset the passwords of all affected users. “As a precaution, we have reset the passwords for all affected users and logged them out of the app and website. Our team is actively scanning all possible breach vectors and closing any gaps in our environment. So far, it looks like an internal (human) security breach – some employee’s development account got compromised.”
In its blog, HackRead claims that the price for the set of the whole package is claimed to be $1,001.43 and that the vendor has also shared a trove of sample data to prove that its data is legit.HackRead added that it tested the sample data on Zomato.com’s login page and found that “each and every account mentioned in the list exists on Zomato.” HackRead’s team reportedly also sent password reset email to some of the email addresses given in the data to further check the veracity of ‘nclay’s’ claims. This too revealed that the data is ‘genuine’ as email IDs turned to be registered with Zomato.
Zomato was founded in 2008 by Deepinder Goyal and Pankaj Chaddah. It has operations in 23 countries, including India, Australia and the United States.