Restaurant aggregator Zomato on 15th May, Monday announced through their blog post, that about 17 million email addresses and passwords were stolen from its database.
However, the Gurgaon-based company said no payment or credit card information has been stolen, as that data was stored separately from the stolen user records, in a "PCI Data Security Standard (DSS) compliant vault."
Later, Zomato's CTO Gunjan Patidar, wrote in the blog post that the security breach did not compromise user passwords, which he said were in encrypted form. The company has "reset the passwords for all affected users and logged them out of the app and website," he wrote.
It is not clear that the hackers have the encrypted password information and whether they will be able to convert them into real passwords and use it. The company does not seem sure of how the breach happened.
Patidar wrote that "some employee’s development account got compromised." He added that the users "paranoid" about security should change their Zomato password if they are using the same elsewhere.
The company has a total of 120 million users,
and this is the second major breach of its systems in the past two
years. In a blog post, Zomato
said the hacked passwords were hashed, meaning they will be difficult
to access though such troves of data do eventually get cracked.
Nevertheless, changing your password on the platform would be a prudent
move. At the same time, it must be pointed out that using the same
passwords across multiple sites is a really bad idea, so if you're doing
that anywhere, please change your passwords, and get a password
Coming back to Zomato, the company disclosed the attack in a blog post,
where it also mentioned that all payment data is stored separately from
the stolen data, and that no payment information or credit card data
has been stolen. In a mailed statement, the company added that All
payment information on Zomato is stored in a highly secure PCI Data
Security Standard (DSS) compliant vault. It added: "We can also confirm
that we have found no evidence whatsoever of any of Zomato’s other
systems or products being affected."
As mentioned above, this is
not the first time that Zomato has been targeted in a hacking attack. In
2015, the company was hacked by a white hat hacker who reported the
details to Zomato, which addressed the weaknesses, according to reports. This time however, a report says that the stolen usernames and passwords are being sold online.
reassured users that accounts have been secured, and payment
information was saved separately, so there's no cause for concern, but
this incident does highlight how much of our data is available to
companies; from our real names and address to our payments data, and if
this was in fact an employee who stole the data, then it's even more
important that companies clearly declare what user data is visible to
"Over the next couple of days, we’ll be actively
working to improve our security systems - we’ll be further enhancing
security measures for all user information stored within our database,
and will also add a layer of authorization for internal teams having
access to this data to avoid any human breach," Zomato stated.