Zomato strikes a deal with the hacker
Zomato said hacker has taken down the information of users put on sale on the Dark Web in return of a bug bounty program. The data that was available for the bundle price of $1,001.43 has been removed for sale. Zomato said that the hacker was cooperative and wanted Zomato to "acknowledge security vulnerabilities in our system and work with the ethical hacker community".
Zomato hacked: Data of 17 million users compromised
Zomato underwent a security attack with almost 17 million user records stolen from Zomato's database. The stolen data had email addresses and encrypted passwords of the customers. A hacker by the name of "nclay" allegedly took responsibility for the hack. He was selling the data concerning the 17 million registered users on a Dark Web marketplace.
Zomato says no financial information stolen
In a note released to the press, Zomato said that there was no evidence that the hacker has got access to the financial information. It said that the passwords were hashed and salted hence no vital information had gone out. It said that the "Payment related information" was stored separately in a "highly secure PCI Data Security Standard compliant vault" and hence wasn't compromised.
Hashing and salting of passwords
Hashing transforms a password into an incomprehensible set of characters, making it difficult to convert it to plain text. Moreover, the passwords were salted, where "characters are added at random before the password hashed" making it safe even if the hash is translated.
Why did the breach take place?
Zomato has blamed the breach on human error where an "employee's development account got compromised". Zomato further said that the team was aggressively scanning all probable breach vectors and zipping any gaps in their environment. The company will close any further security gaps in its systems, thereby adding another layer of permission for internal teams that can access this data.
What can be done to safeguard your information?
Zomato may have said that the passwords were encrypted but to be on the safer side these are the steps that should be implemented. You need to change the password of Zomato and all other apps too if you were using a common password. Ensure your account information is correct and not used by third party apps. Lastly, de-authorize all the login apps.
