Zomato database hacked: Passwords can be easily cracked

Zomato database hacked and it looks like the system used to secure the password is one that can be easily cracked

By: Tech Desk | New Delhi | Updated: May 19, 2017 4:57 pm
Zomato, Zomato password, Zomato passwords stolen, Zomato hacked, Zomato data hacked, Zomato data hacking, Zomato MD5, Zomata data leaked online, technology, technology news Zomato database hacked and it looks like the system used to secure the password is one that can be easily cracked.

Zomato’s data was compromised with about 17 million user records being stolen from the database, which included user’s email addresses as well as hashed passwords. The company had revealed this yesterday in a blogpost. However, it looks like the system to secure the password is one that can be easily cracked, and the data was earlier being sold on the dark web for around Rs 70,000 though in Bitcoins value.

Now in a new blogpost Zomato has said the hacker concerned has agreed not to sell the data online, and the company is going to start a bug bounty program for security researchers.

Zomato’s latest blogpost says “The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers.” According to Zomato, the company will introduce a bug bounty program on Hackerone very soon, and claims the hacker has agreed to destroy all copies of the data that was stolen.

Read more: Zomato reports massive data breach, 17 million accounts affected

The blogpost admits that over “6.6 million users had password hashes in the ‘leaked’ data,” and that technically these can be decrypted by hackers with “brute force algorithms.” Zomato’s blogpost earlier had not spoken about how the passwords could be easily hacked, though the latest one admits this.

Reports claim Zomato using MD5 for hashing the password, which is supposed to be one of the lower levels of encryption. This method can be easily cracked by hackers to get the data that they want.

Zomato has itself not confirmed what form of encryption the company is using for these accounts, and passwords. On credit and debit card data, Zomato says this is “stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault.” The company claims the payment information has not been stolen.

Either way, Zomato’s data breach of 6.6 million users is pretty big. Five data points were exposed in total, which includes user IDs, names, usernames, email addresses and hashed passwords. The company adds the hacker has already given them all details on how he/she was able to carry out the attack. It says they have fixed the security issues which led to the data leakage.

This incident has made our team’s commitment to addressing all our security issues in a responsible and timely manner even stronger. We look forward to working more closely with the ethical hacker community, to make Zomato a safer place for our users,” noted Zomato in its security notice update.

The Zomato incident showcases the kind of security issues that exist when it comes to online companies, which are dealing with troves of data. Zomato’s admission that it used a simple encryption method for user account passwords is worrying. Even if credit card data was not stolen, for many of these users it puts their Zomato account at risk and along with it credit/debit/wallet information, if the user has saved it as well.

For current Zomato users, the best way to cope with something like this is change your password. Preferably to something much stronger, and not just your first name.

For all the latest Technology News, download Indian Express App

  1. A
    ANNI WILLIAMS
    Sep 10, 2017 at 8:34 pm
    CONTACT THEM FOR ALL KINDS OF HACKING JOB AT NOBLEHACKER284 They are professional group hackers based in Europe,Asia,Africa. Their services are 100 guaranteed so you have nothing to worry about, with their untraceable Penetration software. They offer the following services -University grades changing -Bank accounts hack -Erase criminal records hack -Facebook hack -Twitters hack -email accounts hack -Grade Changes hack - crashed hack -server crashed hack -Skype hack -Databases hack -Word Press Blogs hack -Individual computers hack -Control devices remotely hack -Burner Numbers hack -Verified Paypal Accounts hack -Any social media account hack -Android iPhone Hack -Text message interception hack -email interception hack -Untraceable Ip etc. Contact them at NOBLEHACKER284 for more inquiry.
    (0)(0)
    Reply
    1. G
      global hackers
      Aug 29, 2017 at 3:54 pm
      Do you need 100 guarantee hacking services without delay? Then contact globalworldhackers , if you have been disappointed in the   Passed by fake hackers then you are in the right place. We are proficient in cutting the next and more : College Degrees Change Loan : Bank Account Accounting Twitters hack : Bank / ATM : Email Accounts : Changes in Degree : crashed hack : Server crashed hack : Recovering lost files / documents : Clear criminal record : Hack of databases : of Dumps cards of all types : Non detectable ip : Individual computers hack : s hack Facebook hack : Remote device control hack : Burner Numbers hack : Verified PayPal accounts : Any social media account hack : Android hack and iPhone : Word Press Blogs hack : Hack text interception message : Interception of e-mail, etc. For further inquiries please contact us at globalworldhackers
      (0)(0)
      Reply
      1. G
        global hackers
        Aug 29, 2017 at 3:52 pm
        Do you need 100 guarantee hacking services without delay? Then contact globalworldhackers , if you have been disappointed in the   Passed by fake hackers then you are in the right place. We are proficient in cutting the next and more : College Degrees Change Loan : Bank Account Accounting Twitters hack : Bank / ATM : Email Accounts : Changes in Degree : crashed hack : Server crashed hack : Recovering lost files / documents : Clear criminal record : Hack of databases : of Dumps cards of all types : Non detectable ip : Individual computers hack : s hack Facebook hack : Remote device control hack : Burner Numbers hack : Verified PayPal accounts : Any social media account hack : Android hack and iPhone : Word Press Blogs hack : Hack text interception message : Interception of e-mail, etc. For further inquiries please contact us at globalworldhackers
        (0)(0)
        Reply
        1. G
          global hackers
          Aug 29, 2017 at 3:52 pm
          global hackers are a professional hacking team. We have testimonies from our numerous clients around world. We are the best hackers alive. We are specialized in hacking the following: Hack and UPGRADE UNIVERSITY GRADES Hack into any BANK Hack into any COMPANY Hack into any GOVERNMENT AGENCY Hack into any DATA BASE Hack PAYPAL ACCOUNT Hack Blogs SERVER CRASHED hack Untraceable Ip etc We can restore LOST FILES AND DOCUMENTS , no matter how long they have been missing contact us at globalworldhac
          (0)(0)
          Reply
          1. R
            RELIANCE HACKER
            Aug 26, 2017 at 12:45 pm
            Do you want to learn more on how you can hack Facebook account or are you interested in hacking into any of the information such as database hack, changing of school grade, remove Criminal record, Facebook/ whats-app hack, retrieval of hacked social median account, Android and iPhone hack, ATM Machines hack, twitter account hack and lot more. for further information please contact this Email Address Reliancessshackers
            (0)(0)
            Reply
            1. Load More Comments