Zomato hacked, 17 million users’ data up for sale on dark web marketplace

A Hackread report claimed that a seller by the name ‘nclay’ on dark web has offered to sell the stolen user data from Zomato for about a thousand dollars


Zomato user data that was stolen contains user email addresses and ‘hashed’ passwords but no payment information.
Zomato user data that was stolen contains user email addresses and ‘hashed’ passwords but no payment information.

Bengaluru: Hackers have stolen 17 million user records from food technology start-up Zomato Media Pvt. Ltd, and according to one report, put them up for sale online.

Zomato, India’s best-funded food tech company, confirmed the breach, one of the biggest in a home-grown consumer Internet company.

A report on Hackread.com, however, said the stolen data is up for sale in the dark web, a part of the Internet accessed only with special software, rendering users and website operators almost untraceable.

According to the Hackread report, a seller by the name “nclay” has offered to sell the stolen data from Zomato for about a thousand dollars.

Zomato, however, claimed that the hacker has agreed to destroy all copies of the data and take them off the dark web marketplace after the company agreed to run a bug bounty programme for security researchers.

“The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers,” Zomato said in a blog post. “We are introducing a bug bounty program on Hackerone very soon. With that assurance, the hacker has in turn agreed to destroy all copies of the stolen data and take the data off the dark web marketplace. The marketplace link which was being used to sell the data on the dark web is no longer available.”

“The reason you’re reading this blog post is because of a recent discovery by our security team. About 17 million user records from our database were stolen. The stolen information has user email addresses and hashed passwords,” Zomato’s chief technology officer Gunjan Patidar wrote on an official blog.

“We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text. We however, strongly advise you to change your password for any other services where you are using the same password,” he added.

Zomato claimed that payment-related information was not stored along with the stolen user data. “No payment information or credit card data has been stolen or leaked,” the blog post said.

The company has reset passwords for all affected users and logged them out of the app as a preventive measure. The company also said that about 60% of its users, who log in to Zomato through Google or Facebook, are at “zero risk”.

A report on Hackread.com, however, said the stolen data is up for sale in the dark web, a part of the Internet accessed only with special software, rendering users and website operators almost untraceable.

According to the Hackread report, a seller by the name “nclay” has offered to sell the stolen data from Zomato for about a thousand dollars.

It was not immediately clear if the stolen data pertains to users in India or globally. Zomato, which has raised about $225 million from the likes of Info Edge (India) Ltd, Vy Capital and Sequoia Capital, is one of the few Indian consumer Internet start-ups to have gone global.

The company has operations in 24 countries, including Australia, Canada, Singapore, New Zealand, the US and South Africa among others, and claims to aggregate about 1.2 million restaurants. It claims to have about 120 million monthly user visits.

This is not the first time Zomato data has been compromised. In June 2015, a hacker named Anand Prakash claimed to have hacked into the company’s database to highlight certain technical flaws. The breach was promptly acknowledged by Zomato and corrective actions taken.

To be sure, homegrown Internet firms as well as their global peers have fallen prey to cyber-attacks time and over again. Music streaming website Gaana.com was hacked in May 2015, putting at stake about 10 million user records. In June that year, a hackers’ group claimed to have broken into ride-hailing service Ola’s (ANI Technologies Pvt. Ltd) database, though the firm claimed no data was compromised.

The scenario has been no different globally. In 2012, hackers had broken into LinkedIn’s database and stolen about 6.5 million encrypted passwords. In May last year, cyber security firm Symantec said more than 2,500 Twitter accounts were hacked and linked to adult websites. In March this year, Internet firm Yahoo revealed that as many as 32 million accounts were accessed using forged cookies in two years.

As recently as last week, a massive ransomware attack hit 100 over countries, including the UK, Russia, Ukraine, India, Italy and Egypt. The makers of WannaCry malware demanded that over 200,000 individuals across 10,000 organizations either cough up money or lose data, Mint reported on 16 May.

More From Livemint