India's largest restaurant and food delivery app Zomato announced on Thursday (18) that the data of 17 million users had been stolen from its database, including names, email addresses and protected passwords.
Zomato also states that it will introduce a bounty programme "very soon". They basically wanted the company to acknowledge the security vulnerabilities which were rampant in its system and work with the ethical hacker community to close the holes.
But the company said payment-related information is stored separately in a highly secure vault. In another blogpost, the company claims that, in order to mitigate the data hack, it managed to open a line of communication with the hacker who had put the userinformation up for sale.
Total 120 million users had in the country.The company stated that this is the second major breach of its system in the past two years. If this is the case, then there is a possibility that a hacker can gain access to the salt value, allowing them to easily decrypt the hash and get the password. Gunjan Patidar, Technology Chief at Zomato said the "marketplace link which was being used to sell the data on the dark web is no longer available". The data which was being sold on the Dark Web has now been taken down after an agreement between the company and the hacker (s). This HackRead report, which claims to have reviewed a sample of the leaked data, points out that the usernames leaked on the Darknet portal were genuine.
Anand had written about the particular bug in his blog titled [Responsible disclosure] How I could have hacked 62.5 million Zomato Users, with a proof of a concept video. 60 percent of those affected use third-party authenticators such as Google and Facebook to log into the service, so these credentials weren't at risk, but that left around 6.6 million password and email combinations exposed. "Some employee's development account got compromised". No other information was exposed to anyone, ' it further stated. "Your (users) payment information is absolutely safe, and there is no need to panic".
DaFont user base also included corporate accounts associated with Microsoft, Google, Apple, and also the United Kingdom, and the USgovernment agencies, which can be a matter of serious concern for corporations.