Restaurant search and discovery platform, Zomato, on Thursday said that it has had a data breach in which 17 million users' information has been compromised. In a blog post published on the website, Zomato security team discovered that users records had been stolen.
In a fresh blog post, Zomato says "the hacker has been very cooperative", and he/ she requested that Zomato "run a healthy bug bounty program for security researchers", a request that the company has accepted. The company also automatically logged all affected users out of their accounts and reset their passwords, but it advises everyone to change the log-ins to any online accounts that contain that same password. Further, the company added that the data pertaining to payments were stored separately and it adhered to the highly secure PCI data security standard compliant vault.
This time, however, it doesn't appear to be a case of ethical hacking as the stolen usernames and passwords are being sold online.
According to the hackers selling the stolen data, MD5 was the hashing algorithm used by Zomato to encrypt its users passwords.
As per sources, the stolen data - which includes email IDs and password hashes of millions of Zomato users - is up for sale on Dark Web marketplace. Also do note, that the hacker does not have access to Zomato's database, so no bulk password change can be done by the hacker.
The company has however clarified that the payments data has not been hacked since it was on a different, more secure server.
The company further assured that the financial data or payment related data (card and transaction details) have not been stolen. Zomato said that its security teams were scanning all the possible vectors of the breach and trying to close any such gaps in the environment.
Food tech company Zomato has been hacked in a security breach which leaked over 17 million user records.
Not to forget, this is not the first time Zomato is a victim of this attack.Back in 2015, Zomato hacked incidents were all over the place.