With the popular online food delivery service Zomato admitting on Wednesday that almost 17 million records of its registered users were stolen from its database which include email addresses and hashed passwords, the data is now being sold on a popular Dark Web marketplace. "The stolen information has user email addresses and hashed passwords", it noted, adding over 120-million people visit Zomato monthly. "When Zomato users trust us with their personal information, they naturally expect the information to be safeguarded". Some of the responses are just adorable!
The investigation into the breach is ongoing but users who use the same password across multiple websites and social media platforms are being advised to change their password as soon as possible.
The number was revealed on the Zomato blog itself, which states that the hackers were able to get the e-mail addresses and passwords of these users.
"The hacker has been very cooperative with us,"the company notes in a later blog post".
"He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps‚" Patidar said. Zomato later announced they contacted the hacker, who asked Zomato to organise a bug bounty programme. He/she has also taken down the Dark Web marketplace link but gave a copy of leaked data to Zomato. The sole objective behind this hack was to sell the data on a popular Dark Web marketplace. According to this report, the hacker stole data of over 17 million users. According to information security blog and news website HackRead, the data was being peddled online on the "dark web" for about $1,000.
The company's disclosure comes at a time when the world is grappling with the cyberattack by ransomware WannaCry, which has impacted IT networks in over 150 countries.
Zomato's founder Deepinder Goyal took up his Twitter account and declared that about 60 per cent of its clients uses third-party services. The company has committed to boost its security measures to prevent a similar incident happening in the future. Even though the users are requested to change them for safety. "We don't have passwds for these accounts - therefore, these users are at zero risk", he had tweeted. If this is the case, then there is a possibility that a hacker can gain access to the salt value, allowing them to easily decrypt the hash and get the password.