Zomato Breach Exposes 17M User Records, Makes Deal with Hacker to Destroy Data

Restaurant guide Zomato has announced that it has been the victim of a data breach which saw the records of 17 million users being stolen from its database. The bad news is that 6.6 million of those are already on sale on a dark web marketplace. The good news is that the company has more than 120 million users from 24 countries across the globe, and the data breach only affects 17 million of those. 

Of course, it’s still a disappointment that the company was victim of a data breach. The hackers got their hands on user email addresses and hashed passwords. “We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text,” the company states. No payment-related information was accessed.

Users who log into Zomato via Google or Facebook have not been at risk as the company does not store those passwords. According to Zomato, about 60% of its 120 million users use this feature.

All data to be destroyed

There’s an extra good news, however, as the hackers have reportedly agreed to pull the listing from the marketplace on one condition – Zomato starts running a healthy bug program for security researchers. The company agreed and will introduce a bug bounty program via HackerOne.

“With that assurange, the hacker has in turn agreed to destroy all copies of the stolen data and take the data off the dark web marketplace. The marketplace link which was being used to sell the data on the dark web is no longer available,” Zomato said.

Read more…