Published: Fri, May 19, 2017
Science | By Cecil Little

17 million Zomato user records stolen in security breach

17 million Zomato user records stolen in security breach

The restaurant discovery service and the food ordering platform Zomato was hacked with a security breach leading to the stealing of user details of about 17 million accounts.

Of the 17 million accounts whose data was stolen, 6.6 million users had password hashes in the "leaked" data, which can be theoretically decrypted using brute force algorithms.

In another blog post, Zomato has revealed that it had open a line of communication with the hacker who posted the information for sale on the dark web. "Heshe wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps.Hisher key request was that we run a healthy bug bounty program for security researchers". The marketplace link which was being used to sell the data on the dark web is also reportedly no longer available, as per the blog.

Portland Metro Tuesday Weather: Widespread rain with isolated thunderstorms this afternoon
Highs will hit the mid 80's today , with winds staying pretty strong out of the southeast around 10 to 20 miles per hour . NEXT WEEK: A few showers are possible Monday but we'll have a better opportunity for rain and storms on Tuesday .


"So far, it looks like an internal (human) security breach - some employee's development account got compromised", the company said in a blog post, without providing further details.

"The database includes emails and password hashes of registered Zomato users while the price set for the whole package is Dollars 1,001.43". No other information was exposed to anyone (we have a copy of the "leaked" database with us).

"Technically what they are saying is correct, i.e. a hashed password can not be decrypted, but what they aren't saying is - it is technically possible to break the hashing algorithm to guess the passwords".

California and Wisconsin lawmakers move to criminalise stealthing
Laws such as these, she said, are focused much more on the response rather than the prevention. And if the intercourse is nonconsensual, then it would by law be sexual assault.


According to Zomato's blogpost, the company will be introducing a bug bounty program on Hackerone. "Your payment information is absolutely safe, and there's no need to panic", the company says. In addition, the firm claimed that 60% of its user base actually logs in via OAuth services, using Google and Facebook and the like - so their passwords are safe. "This means your password can not be easily converted back to plain text", reads the blog post. Affected users have been logged out of the website and the app.

It added that because the passwords are hashed - converted into a meaningless string of numbers that bear no relation to the actual password - the hackers will be unable to access them. Contrast this to the "surface web" that can easily found through a search engine. Supreme Court advocate Pavan Duggal says, "Such players, referred to as intermediaries under the IT Act hold sensitive data and are expected to have reasonable security protocols in place".

Lexi Thompson shoots 65 to lead Kingsmill Championship
Thompson and her SEAL tandem partner were joined by three other Navy SEALs and a Red Bull sky diver who filmed the action. Lincicome fired five birdies and played a bogey-free round. "Just happy to be under par and looking forward to tomorrow".


Like this: