How Zomato Became A Victim of Cyber Theft; 17M Accounts Hacked

In 2015, the company was hacked by a white hat hacker who reported the details to Zomato, which addressed the weaknesses, according to reports.

Restaurant aggregator Zomato on 15th May, Monday announced through their blog post, that about 17 million email addresses and passwords were stolen from its database.

However, the Gurgaon-based company said no payment or credit card information has been stolen, as that data was stored separately from the stolen user records, in a "PCI Data Security Standard (DSS) compliant vault."

Later, Zomato's CTO Gunjan Patidar, wrote in the blog post that the security breach did not compromise user passwords, which he said were in encrypted form. The company has "reset the passwords for all affected users and logged them out of the app and website," he wrote.

It is not clear that the hackers have the encrypted password information and whether they will be able to convert them into real passwords and use it. The company does not seem sure of how the breach happened.

Patidar wrote that "some employee’s development account got compromised." He added that the users "paranoid" about security should change their Zomato password if they are using the same elsewhere.

The company has a total of 120 million users, and this is the second major breach of its systems in the past two years. In a blog post, Zomato said the hacked passwords were hashed, meaning they will be difficult to access though such troves of data do eventually get cracked. Nevertheless, changing your password on the platform would be a prudent move. At the same time, it must be pointed out that using the same passwords across multiple sites is a really bad idea, so if you're doing that anywhere, please change your passwords, and get a password manager.

Coming back to Zomato, the company disclosed the attack in a blog post, where it also mentioned that all payment data is stored separately from the stolen data, and that no payment information or credit card data has been stolen. In a mailed statement, the company added that All payment information on Zomato is stored in a highly secure PCI Data Security Standard (DSS) compliant vault. It added: "We can also confirm that we have found no evidence whatsoever of any of Zomato’s other systems or products being affected."

As mentioned above, this is not the first time that Zomato has been targeted in a hacking attack. In 2015, the company was hacked by a white hat hacker who reported the details to Zomato, which addressed the weaknesses, according to reports. This time however, a report says that the stolen usernames and passwords are being sold online.

Zomato reassured users that accounts have been secured, and payment information was saved separately, so there's no cause for concern, but this incident does highlight how much of our data is available to companies; from our real names and address to our payments data, and if this was in fact an employee who stole the data, then it's even more important that companies clearly declare what user data is visible to their staffs.

"Over the next couple of days, we’ll be actively working to improve our security systems - we’ll be further enhancing security measures for all user information stored within our database, and will also add a layer of authorization for internal teams having access to this data to avoid any human breach," Zomato stated.

Tags assigned to this article:
data passwords

Around The World