The India-based company said on Thursday that it recently discovered that around 17 million user records - including email addresses and hashed passwords - had been stolen from its database. The stolen information contains user email addresses and "hashed" passwords but no payment information or credit card data has been stolen/leaked, Zomato said in a blog post.
'The hacker has been very cooperative with us.his/her key request was that we run a healthy bug bounty program for security researchers, ' the blog stated, which the company has acceded to in exchange for taking off all copies of the stolen data from the dark web marketplace and destroying it.
Zomato, which claims to have 120m monthly users, said that no financial information or other details were accessed by the hackers. Apparently, the Zomato hacker has agreed to not sell all the user-names and passwords he has managed to steal, in return for the company to set up a bug bounty program!
MediaNama has written to Zomato to confirm whether it used the outdated MD5 algorithm, and whether it stored salt values on the same server as the passwords. "Your (users) payment information is absolutely safe, and there is no need to panic". However, independent sources including the motherboard state that the password was converted into text easily enough.More news: Tornadoes cause damage in Wisconsin, Oklahoma
For other users, Zomato will be reaching out to get them to update their password on all services where they might have used the same password.
"Zomato must tell its users the hashing algorithm it was using before the hack happened", the cyber security expert suggested. HackRead, a security blog and news website, found the stolen Zomato database of 17 million users for sale on what is called the "dark web".
According to Zomato's blogpost, the company will be introducing a bug bounty program on Hackerone. This can be described as a portion of the content available on the World Wide Web, away from the public internet. This isn't the first time though, as previously, an Indian hacker named Anand Prakash had hacked into the database to show the flaws and that was acknowledged by Zomato, with the measures taken to seal the loophole. Supreme Court advocate Pavan Duggal says, "Such players, referred to as intermediaries under the IT Act hold sensitive data and are expected to have reasonable security protocols in place".