In a recent blogpost foodtech startup Zomato has notified that over 17 Mn user records from its database were stolen recently.
The information includes user email addresses and hashed passwords. Currently, the company claims to have over 120 Mn monthly user visits on its platform.
As per the post, Zomato’s security team discovered the breach recently. The statement reads, “The hashed password cannot be converted/decrypted back to plain text – so the sanctity of your password is intact in case you use the same password for other services. But if you are paranoid about security like us, we encourage you to change your password for any other services where you are using the same password.”
Zomato was founded by Deepinder Goyal and Pankaj Chaddah in 2008 and has raised over $200 Mn in funding and made 10 acquisitions.
However, the company has assured that data theft does not include payments-related information. Gunjan Patidar, Technology Chief at Zomato said, “The payment-related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault. No payment information or credit card data has been stolen/leaked.”
Cyber Breaches In The Past
Last week over 150 countries were affected by an outbreak of ransomware. The software, called WannaCry, encrypted the files on a victim’s computer and demanded a ransom to get them back.
In March 2017, US-based fast food restaurant chain, McDonald’s India app, McDelivery, reportedly leaked the personal data of more than 2.2 Mn users.
In October 2016, about 3.2 Mn debit cards were compromised, as a result of a massive data breach that reportedly originated in malware introduced in the systems of Hitachi Payment Services.
In May 2016, the personal data of about 1 Cr IRCTC users was feared to have been leaked from the website’s server. The Maharashtra cyber cell had also informed IRCTC about a potential data theft of its user registration details.
What Now
In Zomato’s case to ensure further safeguards, the company has ‘reset the passwords for all affected users and logged them out of the app and website.’
The post goes on to say that the breach seems like an “internal (human) security breach – some employee’s development account got compromised.”
Since the company has taken the step to change the compromised accounts’ passwords, it allegedly ensures data security, as of now.
The foodtech giant also claims that the team will be working to “plug any more security gaps” and enhancing security measures for all user information stored within their database.
Talking about the data breach Saket Modi, co-founder & CEO Lucideus said, “In general, when someone hacks and copies the data of a website, he copies much more than just the email and the password as in most cases it’s the same database that is used to store other personal identifiable information (PII) of a user. It is a good thing to see that Zomato was following a good practice of hashing the passwords before storing it on their database, but saying “The hashed password cannot be converted/decrypted back to plain text” is misleading.”
He goes on to say, “Technically what they are saying is correct, i.e. a hashed password cannot be decrypted, but what they aren’t saying is – it is technically possible to break the hashing algorithm to guess the passwords. This has happened in the past – over 170 Million LinkedIN accounts that were hacked were actually hashed and stored, however, the hashing function used there was the weak SHA1 without the usage of any modification (salting). Hence almost all the hacked and hashed accounts were broken. It did not stop just to LinkedIN, in fact this is the probable reason why Mark Zuckerberg’s Twitter and Pinterest account was also compromised in 2016 as he apparently was using the same password as his LinkedIN account whose password became public after the hack. Zomato must tell us the hashing algo it was using before the hack happened.”
Zomato is also planning to add ‘a layer of authorisation for internal teams having access to this data to avoid the possibility of any human breach.’
In April 2017, the company released a short form unaudited annual report for FY2017. It claimed to be at the verge of profitability; with revenues up 80%, burn down by 81% In FY17. As per Inc42 Datalabs in 2016 alone, 50 startups in the foodtech space raised $152.3 Mn in investor funding. The year also saw over 37 shutdowns of foodtech startups.
Earlier this month Uber’s on-demand food delivery app UberEATS debuted in India. It has a three-way app for customers, restaurants and deliveries. Other players in the segment include Swiggy, Foodpanda. In April 2017, Google also entered the fray with Areo, which delivers food and home services for residents in Bengaluru and Mumbai.
