Restaurant search and food delivery service Zomato has been hacked, with the user details of 17m users stolen. However, the company assured customers that their payment and credit card data are safe and sprang into action to fortify the information base.
According to a blogpost on the company's website, the "ethical hacker" - whose identity has been kept under wraps - simply wanted to expose the security vulnerabilities in the company's structure.
"The hacker has been very cooperative with us".
According to the blog post, the hacker has also agreed to take the data off the dark web and destroy all copies of the stolen information.
Since this was a hacker from an ethical group that checks for any loopholes, they shared what exactly was done to steal the data and the Zomato team has plugged that loophole to prevent any further breaches.
The company clarified that only five data points were exposed-user IDs, names, usernames, email addresses, and password hashes. No other information was exposed to anyone, ' it further stated.
MediaNama has written to Zomato to confirm whether it used the outdated MD5 algorithm, and whether it stored salt values on the same server as the passwords. His/her key request was that we run a healthy bug bounty program for security researchers. The number of user accounts compromised was pegged at 17 million earlier in the day.In the late night update, Zomato said password hashes (passwords in a scrambled, encrypted form) of 6.6 million users were compromised. "This means your password can not be easily converted back to plain text", reads the blog post.
Finally, share this news with fellow Zomato users so that they can be aware and take the security steps to keep the account safe. The strength of the encryption depends on the algorithm employed to do the same.
It added that because the passwords are hashed - converted into a meaningless string of numbers that bear no relation to the actual password - the hackers will be unable to access them.
There was some panic on Thursday after Zomato put up a blog post stating that data of 17 million accounts had been stolen. This can be described as a portion of the content available on the World Wide Web, away from the public internet. Would Zomato be liable to compensate end users for loss of sensitive data?