Zomato Hacked: 17 Million Names, Emails And Passwords Stolen

Restaurant search and discovery service Zomato announced Thursday that it was hacked, resulting in information from 17 million users being stolen.

The names of users along with their email address and a hashed password were stolen by the hacker. The database of Zomato user information has been made available for purchase on the dark web.

Read: DocuSign Hacked: Customer Email Addresses Accessed, Used To Send Malware

In a blog post acknowledging the database breach, Zomato noted the stolen passwords were hashed—a function that converts the plaintext password into a string of random characters. The passwords were also salted, which adds additional random data to a hash to make it harder to decipher.

“This means your password cannot be easily converted back to plain text,” the company said—an updated version of an original post that said the passwords “cannot be converted/decrypted back to plain text.” That comment was criticized by security experts, who note that encryption is very difficult but not impossible to crack.

Zomato also noted that 60 percent of its users login using a third party OAuth or Open Authorization, meaning they login using another account like Google or Facebook. Zomato does not store passwords for those accounts.

The company is still advising its users to change their password and has already reset the passwords for affected users. Those users are logged out and will have to create a new passwords upon their next login.

For any user who uses the same password on Zomato as they do on another service, it is important to change passwords on those services as well. Database leaks are easily be cross-referenced and a hacker can access multiple accounts just by finding a single password.

Read: Edmodo Hacked: 77 Million Accounts Of Students, Teachers, Parents Stolen From Education Social Network

Zomato assured users that payment related information is stored separately from the database that was compromised and confirmed that no payment information or credit card data was stolen or published.

The information from the stolen database has been made available online for purchase on the dark web. The hacker is asked for just over $1,000 for the database.

It appears that the same person responsible for the Zomato hack was the same person involved in the recent hack of education social network Edmodo. The hacker, who goes by nclay, reportedly broke into the Zomato database earlier this month.

It appeared the hacker nclay was able to gain access to the Zomato database after compromising a Zomato employee’s account and using that employee’s access to the company’s database—which suggests the Zomato did not require the use two-factor authentication or other methods to authenticate its employee logins.

Zomato said it will be “further enhancing security measures for all user information stored within our database,” and adding an additional layer of authorization for its internal teams with access to customer data to prevent future breaches.