Foodtech startup Zomato reported of a data hack yesterday. In a blogpost, the company notified that over 17 Mn user records from its database were stolen.
Just a day later, the company has stated that it managed to contact the hacker. In another blogpost, the company claims that, in order to mitigate the data hack, it managed to open a line of communication with the hacker who had put the userinformation up for sale.
The company maintained its claims that five data points were exposed – user IDs, names, usernames, email addresses, and password Hashes with salt. “No other information was exposed to anyone (we have a copy of the ‘leaked’ database with us). Your payment information is absolutely safe and there’s no need to panic.”
Zomato claims that the hack was done to demand a bug bounty programme. The statement read, “The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers.”
The company also said that it will introduce a bug bounty program on Hackerone very soon.
The company goes on to state, “Having said that, we are going to be cautious and paranoid, as this is a sensitive matter. 6.6 Mn users had password hashes in the ‘leaked’ data, which can be theoretically decrypted using brute force algorithms. We will be reaching out to these users to get them to update their password on all services where they might have used the same password.”
Zomato said that the hacker has, in turn, agreed to destroy copies of the stolen data and take the data off the dark web marketplace. Gunjan Patidar, Technology Chief at Zomato said the “marketplace link which was being used to sell the data on the dark web is no longer available.”
Zomato co-founder Deepinder Goyal took to Twitter to assure users who were logged in via Facebook or Google were at zero risk.
60% of users use Goog/FB for logging in to Zomato. We don’t have passwds for these accounts – therefore, these users are at zero risk.
— Deepinder Goyal (@deepigoyal) May 18, 2017
However, as per a source close to the development the data seems to have been compromised. A Reddit user claims that the passwords are hashed without salt. So it is possible to decrypt the passwords, as opposed to Zomato’s claims. And they are already available on the Dark Web for sale.
Zomato claims that the hacker gave them all the details about gaining access to the database, and that they will post the information on their blog once the loopholes are closed, so that others can learn from their mistakes.
In the meantime, users are advised to change their Zomato password and wherever else the same password is being used.
