Hacker steals details of 17 million Zomato users

The names, email addresses and passwords of around 17 million Zomato users have been stolen after a hacker breached the systems of the restaurant listing and food delivery site.

Zomato, which operates in 24 countries including the UAE, Qatar and Lebanon, confirmed the breach on Thursday saying it had encouraged users to change their passwords on services where they might have used the same login information.

The site later said around 60 per cent of users were at less risk because they had used third party services like Google and Facebook to login.

Zomato added that payment information was stored separately in a highly secure PCI Data Security Standard vault and was not stolen.

In a later update the site, which has 120 million monthly users, said it had been in contact with the hacker, who had put the stolen information up for sale on the dark web.

“The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty programme for security researchers,” the company said in a statement.

As a result, the site added that the hacker had agreed to destroy all copies of the stolen data and take it down from sales sites on the condition it introduced a bug bounty programme on ethical hacker site HackerOne.

However, Zomato was still advising 6.6 million users that had password hashes in the leaked data, which could be decrypted using algorithms, to update their passwords if it had used them on other services.

“Please note that only five data points were exposed – user IDs, Names, Usernames, Email addresses, and Password Hashes with salt. No other information was exposed to anyone (we have a copy of the ‘leaked’ database with us). Your payment information is absolutely safe, and there’s no need to panic,” Zomato said.

It also confirmed that the hacker had provided information on how he/she got access to the details and it would provide an update once the loophole had been closed.

“Unlike the ransomware cyber attack last week, based on reports, this appears to be an issue with an employee inadvertently exposing the system,” said Paul Hughes, at corporate law firm Addleshaw Goddard.

“This demonstrates that no matter how robust your security systems are, employees are often the weakest link in the fight against cyber attacks and it highlights the importance of educating and training your staff on the fight against cyber crime.”