New Delhi, May 18: Shockingly, around 17 million Zomato user details were stolen from their database including their email addresses and hashed passwords and now it is learnt that the data is now being sold on a popular Dark Web marketplace.
According to information shared on Hackeread.com, a user by the name of “nclay” claimed to have hacked Zomato.
“The database includes emails and password hashes of registered Zomato users while the price set for the whole package is USD 1,001.43 (BTC 0.5587). The vendor also shared a trove of sample data to prove that the data is legit,” the report said.
“The data was stolen this month and this year, May 2017,” hacker told HackRead.
Zomato, that has over 120 million users, however, said that all the payment records were safe.
“No payment information or credit card data has been stolen/leaked. Payment related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault,” Zomato said in a blog post on Thursday.
However, it is suspected that it is an internal (human) security breach — some employee’s development account got compromised, the post added.
To avoid any trouble, the company has reset the passwords for all affected users and logged them out of the app and website.
The Zomato team is keeping eye on all possible breach vectors and closing any gaps.
The hashed password cannot be converted/decrypted back to plain text — so the sanctity of password is intact in case users’ use the same password for other services.
“But if you are paranoid about security like us, we encourage you to change your password for any other services where you are using the same password,” the post read.
“Over the next coming days and weeks, the company will further enhance security measures for all user information stored in our database and will add a layer of authorisation for internal teams having access to this data to avoid the possibility of any human breach,” Zomato said.
However, it is not the first time that Zomato has been hacked.
In 2015, the company was hacked by a white hat hacker who reported the details back to the company which later addressed the weaknesses.
Speculations are there that the details may be sold online.