India’s largest restaurant guide, Zomato appears to have suffered a major security breach, with over 17 million user records stolen from its database.
According to a report in security blog, HackRead, “a vendor going by the online handle of “nclay” is claiming to have hacked Zomato and selling the data of its 17 million registered users on a popular Dark Web marketplace.”
The stolen information has user email addresses, hashed passwords. However, Zomato claimed that “no payment or credit card information has been stolen/leaked” by the hacker.
The food-tech company wrote on its blog, “The payment related information on Zomato is stored separately from this (stolen) data in a highly secured PCI Data Standard Security (DSS) compliant vault.” The firm added that “The hashed password cannot be converted/decrypted back to plain text - so the sanctity of your password is intact in case you use the same password for other services.” Although the passwords could still be safe, to avoid security risks, the company is encouraging its customers to change passwords, if used for any other services.
Zomato as a precautionary measure, has reset the passwords for all the affected users and logged them out of the application. An internal (human) error has been attributed by the firm for the cause of the security breach where an employee’s development account got compromised.
Zomato over the next couple of days and weeks, will work towards plugging security gap that they come across in its systems. This includes enhancing security measures for all user information stored within its database and adding a layer of authorization for internal teams having access to this data to avoid the possibility of any human breach.