17 million accounts' hashed passwords, emails stolen, Zomato says

This is the stable version, checked on 18 December 2024. Template changes await review.

Friday, May 19, 2017

Yesterday, Zomato, a food ordering and restaurant finding company, announced security breach of more than 17 million accounts, via their official blog. A hacker operating under the alias nclay uploaded evidence to prove they had the stolen data — hashed passwords and emails — for sale, Hackread.com reported. Zomato later announced they contacted the hacker, who asked Zomato to organise a bug bounty programme.

The food ordering company, with 120 million monthly users, said the payment information of the users was not located with this data and was not leaked. Zomato said it uses PCI Data Security Standards.

As a security measure, all the passwords of the involved Zomato accounts were reset and all of the accounts were forcibly logged out from the application and website. The company said only hashed passwords were compromised.

Hashed passwords are encrypted and, per Zomato, every password had a different "salt", for cryptographic salting was performed before hashing the original password. A "salt" is a random set of characters added before encryption to make decryption to obtain the original passkey more difficult.

The hashed password itself can not be used to access the account. In the blog post before contacting the hacker, saying "internal (human) security breach", Zomato suggested this could have happened after a worker's development account was hijacked. After contacting the hacker, and promising a bug bounty programme on Hackerone, they said, the hacker agreed and removed the stolen data which was put on sale on the dark web. Zomato said they are looking forward to working closely with the ethical hacker community on security vulnerabilities.


Sources