Zomato hacked, details of 17 million accounts stolen, but passwords thought to be secure

The email addresses of 17 million user accounts of Zomato has been stolen, along with the hashed passwords. As the passwords are hashed, the attackers cannot convert or decrypt the passwords back to plain text. This means that users have no need to worry that the passwords have been compromised, other accounts that use the same password can be accessed by the leaks originating from Zomato. However, out of an abundance of precaution, Zomato engineers have asked affected parties to change their passwords in any users accounts, if the same password was used for accessing Zomato services as well.

Zomato CTO Gunjan Patidar disclosed the breach in a blog post. Zomato has reset the passwords of the affected users, and has logged them out of the mobile application as well as the web site. Zomato engineers are investigating the breach, and closing any gaps in the environment. It looks like the development account of an employee got compromised, leading to the breach. Zomato is introducing an additional authorisation step for teams having an access to the data to prevent a repeat of the breach.

Zomato has pointed out that there is no need to panic. The stolen information has only the email addresses of the users and the hashed passwords. The payment information and credit card details are stored in another data vault, and have not been compromised in the breach. The breach affects only 17 million of the 120 million monthly active users on Zomato.

The details of the 17 million accounts are being vended on the Dark Web, according to a report by Hackread. The price of the entire data set is BTC 0.5587 (About Rs 65,261). Samples of the data has also been shared on the dark web marketplace, to verify the authenticity of the leaked database. According to the hacker, the data was accessed in May 2017 itself.

Published Date: May 18, 2017 11:59 am | Updated Date: May 18, 2017 11:59 am