Zomato’s data was compromised with about 17 million user records being stolen from the database, which included user’s email addresses as well as hashed passwords. The company had revealed this yesterday in a blogpost. However, it looks like the system to secure the password is one that can be easily cracked, and the data was earlier being sold on the dark web for around Rs 70,000 though in Bitcoins value.
Now in a new blogpost Zomato has said the hacker concerned has agreed not to sell the data online, and the company is going to start a bug bounty program for security researchers.
Zomato’s latest blogpost says “The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers.” According to Zomato, the company will introduce a bug bounty program on Hackerone very soon, and claims the hacker has agreed to destroy all copies of the data that was stolen.
The blogpost admits that over “6.6 million users had password hashes in the ‘leaked’ data,” and that technically these can be decrypted by hackers with “brute force algorithms.” Zomato’s blogpost earlier had not spoken about how the passwords could be easily hacked, though the latest one admits this.
Reports claim Zomato using MD5 for hashing the password, which is supposed to be one of the lower levels of encryption. This method can be easily cracked by hackers to get the data that they want.
Zomato has itself not confirmed what form of encryption the company is using for these accounts, and passwords. On credit and debit card data, Zomato says this is “stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault.” The company claims the payment information has not been stolen.
Either way, Zomato’s data breach of 6.6 million users is pretty big. Five data points were exposed in total, which includes user IDs, names, usernames, email addresses and hashed passwords. The company adds the hacker has already given them all details on how he/she was able to carry out the attack. It says they have fixed the security issues which led to the data leakage.
“This incident has made our team’s commitment to addressing all our security issues in a responsible and timely manner even stronger. We look forward to working more closely with the ethical hacker community, to make Zomato a safer place for our users,” noted Zomato in its security notice update.
The Zomato incident showcases the kind of security issues that exist when it comes to online companies, which are dealing with troves of data. Zomato’s admission that it used a simple encryption method for user account passwords is worrying. Even if credit card data was not stolen, for many of these users it puts their Zomato account at risk and along with it credit/debit/wallet information, if the user has saved it as well.
For current Zomato users, the best way to cope with something like this is change your password. Preferably to something much stronger, and not just your first name.