With the popular online food delivery service Zomato admitting on Wednesday that almost 17 million records of its registered users were stolen from its database which include email addresses and hashed passwords, the data is now being sold on a popular Dark Web marketplace. The stolen data included usernames, email address and hashed password of users. Zomato has also assured all its users that their credit card information was fully secure and that payment-related information was stored separately in a PCI Data Security Standard (DSS) compliant vault.
According to a blogpost on the company's website, the "ethical hacker" - whose identity has been kept under wraps - simply wanted to expose the security vulnerabilities in the company's structure. He/she has also taken down the Dark Web marketplace link but gave a copy of leaked data to Zomato.
Further, so that others can learn from Zomato's mistakes, it will be posting this information on its blog once it fixes the loopholes. "We were able to access user names, email IDs, addresses and history of transactions.We highlighted this to Zomato but we have not heard from them", said Karthick Vigneshwar, director, infySEC. Patidar added, "No other information was exposed to anyone".
"We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password", he explained.
"The hashed password can not be converted/decrypted back to plain text - so the sanctity of password is intact in case users' use the same password for other services", it said.More news: Leonardo DiCaprio and Nina Agdal reportedly split after a year of dating
More news: Senate investigators want to know what Comey does about Trump
More news: Soundgarden singer Chris Cornell dies
The good news is that the hackers have agreed to pull the listing from the market provided the platform runs a "healthy bug program for security researchers". "Your payment information is absolutely safe and there's no need to panic", Zomato said in a statement.
Still, this leaves 6.6 million Zomato users who are, and the firm says that it has taken steps to reset the passwords for all affected users, as well as having logged them out of its app and website. "This means your password can not be easily converted back to plain text", reads the blog post.
Password "hashing" is an encryption technique usually used for large online user databases. This content is not indexed on search engines like Google, and can only be accessed using software that can route around the public internet to get there.
This is not the first time that Zomato has been hacked. "Should an end user face any lossdamage due to data breach, they can sue Zomato and seek compensation".