Zomato Hacked but Millions of Users Passwords are Safe

Posted May 19, 2017

The hacker had also warned the company about the loophole about a year ago, but Zomato refused to respond to it.

There was a state of panic when the company announced that the hacker had stolen at least 17 million user records.

Patidar added that a bug bounty program on Hackerone will be introduced soon and in return of this, the hacker has agreed to destroy all copies of the leaked database.

In a statement on the Zomato's website, Mr Patidar said: 'We have taken multiple steps to mitigate the situation.

Zomato said in its earlier blog that it's applied an "individual salt per password" before encrypting it. Bug bounties are a standard program among tech companies, where they reward outsiders to highlight bugs and flaws in their software systems.

In the blog post, the company said that "As a precaution, we have reset the passwords for all affected users and logged them out of the app and website".

But users who have a habit to apply the same password at many places are at major risk as hackers can also get into other accounts like on social media or emails, experts warned. In total 17 million user records were stolen during the breach.

According to the blogpost, the very cooperative ethical hacker just wanted to acknowledge the vulnerabilities in Zomato's security system.

Finally, share this news with fellow Zomato users so that they can be aware and take the security steps to keep the account safe. So it is likely that the data is no longer available on the dark web.

DaFont's database also included the site's forum data, private messages and other site information.

In another blog post, Zomato has revealed that it had open a line of communication with the hacker who posted the information for sale on the dark web.

Yesterday, the India-based company had said that 60 percent of the accounts were logins from third parties such as Facebook, so their accounts were perfectly safe.

"It is good to see that Zomato was following a good practice of hashing the passwords before storing it on their database, but saying "The hashed password can not be converted/decrypted back to plain text" is misleading", said Saket Modi, CEO and cofounder of Delhi-based IT risk assessments provider Lucideus.