In a major cyber attack, Zomato, the popular food delivery app, has suffered a data breach and the accounts details of millions of its users have been stolen from its database.
According to the blog post published by the company, about 17 million user records have been stolen from their database. The stolen information has user email addresses and hashed passwords.
Zomato claims that since the passwords are encrypted, they cannot be easily decrypted by the attackers. However, they strongly advise you to change your password for any other services where you are using the same password.
“We use hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text,” the company claims.
Zomato even stressed that the breach did not impact or compromise any payment card data, as the financial information of its users is stored in a separate database different from the one illegally accessed.
“Payment related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault. No payment information or credit card data has been stolen/leaked.”
Despite assurances that increased levels of precautions were made to safeguard users’ data, the company, as a preventive measure, has reset the passwords of all affected users and logged them out of its app and website. ‘Since we have reset the passwords for all affected users and logged them out of the app and website, your zomato account is secure. Your credit card information on Zomato is fully secure, so there’s nothing to worry about there.’
In the blogpost, Zomato has attributed that someone from inside its organization is responsible for the security breach. “Our team is actively scanning all possible breach vectors and closing any gaps in our environment. So far, it looks like an internal (human) security breach – some employee’s development account got compromised,” the company said.
17 Million Zomato Registered User Accounts Sold on Dark Web
According to Hackeread.com, a user by the online handle of “nclay” claimed to have hacked Zomato and was willing to sell data pertaining to 17 million registered users on a popular Dark Web marketplace.
The vendor also shared a sample data to verify the authenticity of the leaked database and is asking for 0.5587 Bitcoins (around USD 1,001.43 or ₹65,261) for the entire set of data. Here’s a screenshot of the sample data publicly shared by “nclay.”
What should Zomato Customers do? Be alert of opening any new emails, particularly of any phishing email.
Zomato is a world-renowned food and restaurant search engine giant found in 2008. The site has over 120 million monthly visits and holds 945th rank in the world while it’s among the top 155 most visited sites in India according to Alexa ranking.
This is not the first time that Zomato has been targeted for a cyber attack. In 2015, the company faced the attack by an ethical hacker named Anand Prakash, who hacked 6.2 crore user accounts of Zomato in order to expose the company’s flaw. However, he later reported the details to Zomato, after which its technical team fixed the bug in an hour’s time, according to reports.