One of India's most successful startups, Zomato, was recently the victim of a major hack that resulted in the compromise of 17 million user accounts. Zomato is a popular online restaurant guide and food ordering app, which exhibits around 100 million monthly visitors.
Technology news sites confirmed the data breach and revealed that the sensitive information was being sold on a popular dark web market.
According to Hackread's account of the event, they discovered that a dark web vendor using the online handle 'nclay' claimed responsibility for the data breach.
The data included emails and password hashes of registered Zomato users. Hashed passwords are random characters that companies use to ensure user accounts are secure. The entire data trove was going for $1,001.43 (approximately 0.5587 Bitcoin).
In an effort to display the legitimacy of the hack, the dark web vendor disclosed a sample of the data. Hackread personnel tested the sample on Zomato's login page and the compromised user accounts turned out to be legitimate.
An attempt to send password reset emails to a number of listed email address confirmed that they were indeed registered with the site.
According to the dark web vendor, the hack was carried out this month. This meant that new signups were affected.
The company acknowledged the data breach in a blog post causing justified uneasiness among Zomato users. The world is still reeling from the largest cyber-attack in the form of the notorious WannaCry ransomware.
Zomato assured its users that it would be difficult to convert the hashed passwords to plain text.
Nonetheless, users were strongly advised to change their passwords for other online services where they could be utilizing the same password. The company also stated that information related to payments such as credit card data is completely safe from being stolen and posted for sale on the dark web.
Payment data is stored in a PCI Data Security Standard compliant vault. Zomato reset all the affected user passwords, and logged them out of the website and app as a precautionary measure.
In an interesting turn of events, the company revealed through a blog post that the hack was an 'ethical' hack meant to highlight the gaps in Zomato's security system.
According to the post, the dark web vendor is cooperating with the Zomato team to address some aspects of system security. Apparently, the hacker's motivation was to expose the security flaws in Zomato's database.
The company plans to reveal to the public how the hack was carried out. The hacker availed this information to Zomato, choosing not to disclose his/her identity.
The hacker requested Zomato to run a bug bounty program for security researchers, then agreeing to remove all copies of the sensitive data from the dark web and destroy it after Zomato agreed to the request.
Currently, the dark web link that was being used to sell the data trove is no longer available. The company now plans to operate a much more appealing bug bounty program on Hackerone.
It is worth noting that Zomato already has a bug bounty program. It seems like the existing program does not offer considerable incentive other than official recognition.
The founder of Zomato, Deepinder Goyal, assures users via Twitter that logins through Google and Facebook accounts were completely safe. He stated that 60 percent of Zomato users access the service through Google and Facebook accounts.
Since the company does not possess the passwords of these users, they are not at risk of compromise.
This is not the first time that the restaurant listing and ordering service has been breached. Indian white hat hacker, Anand Prakash, managed to hack the service in 2015.
He reported the security vulnerabilities to the company, which proceeded to close these gaps. Following this month's events, the firm has vowed to enhance its security measures.
Disclaimer:
You need to enable JavaScript to vote
