Just a day later, the company has stated that it managed to contact the hacker. In another blogpost, the company claims that, in order to mitigate the data hack, it managed to open a line of communication with the hacker who had put the userinformation up for sale.
The company maintained its claims that five data points were exposed – user IDs, names, usernames, email addresses, and password Hashes with salt. “No other information was exposed to anyone (we have a copy of the ‘leaked’ database with us). Your payment information is absolutely safe and there’s no need to panic.”
Zomato claims that the hack was done to demand a bug bounty programme. The statement read, “The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers.”
The company also said that it will introduce a bug bounty program on Hackerone very soon.
The company goes on to state, “Having said that, we are going to be cautious and paranoid, as this is a sensitive matter. 6.6 Mn users had password hashes in the ‘leaked’ data, which can be theoretically decrypted using brute force algorithms. We will be reaching out to these users to get them to update their password on all services where they might have used the same password.”