Zomato Hacked; 17 Million Accounts Sold on Dark Web

Zomato database includes emails and password hashes of registered users while the price set for the whole package is USD 1,001.43.

[wp_ad_camp_1

Since 2015, Dark Web marketplaces have been flourishing, offering a wide range of illegal items such as drugs, weapons, databases, and fake documents. Recently, HackRead discovered a vendor using the online handle “nclay” claiming to have hacked Zomato and is selling the data of its 17 million registered users on a popular Dark Web marketplace.

The database includes emails and password hashes of registered Zomato users, with the price set at USD 1,001.43 (BTC 0.5587). The vendor also shared a trove of sample data to prove the legitimacy of the hack. Here’s a screenshot of the sample data publicly shared by “nclay.”

Screenshot credit: Hackread.com

Upon testing the sample data on Zomato.com’s login page, it was discovered that every account mentioned in the list exists on Zomato.

Screenshot credit: Hackread.com

We tried to send a password reset email to some of the email addresses in the data, which further revealed that they are registered with Zomato. Here’s a screenshot showing a reset email successfully sent to one user.

“The data was stolen this month and this year, May 2017,” hacker told HackRead.

Email successfully sent. Screenshot credit: Hackread.com

An email was also sent to Zomato from HackRead.com, along with the sample data explaining the incident. We requested the company to confirm whether Zomato had suffered a data breach. However, at the time of publishing this article, there was no response from the company.

[wp_ad_camp_1

It must be noted that Zomato already has an existing bug bounty program; however, the security researchers and hackers who report vulnerabilities only receive Hall of Fame recognition or a certificate of acknowledgement. Additionally, in 2015, Zomato was hacked by an Indian ethical hacker Anand Prakash, who discovered a critical security flaw in Zomato’s data recall system and informed the company about the issue.

Zomato is a world-renowned food and restaurant search engine giant founded by Deepinder Goyal and Pankaj Chaddah in India in 2008. The site receives over 90 million monthly visits and holds the 945th rank globally, while it is among the top 155 most visited sites in India, according to Alexa rankings. Therefore, if there is any truth to “nclay’s” claims—which seemingly appear to be accurate—Zomato will have a busy week addressing the fallout.

Currently, the same Dark Web marketplace where Zomato data is being sold also holds several other vendors selling highly sensitive data stolen from tech and social media giants. These include the anti-public combo list with billions of accounts, 100 million accounts from Chinese video service Youku, millions of accounts stolen from vBulletin forums, millions of Bitcoin forums data and millions of Gmail and Yahoo accounts with their plain-text passwords, etc. 

Update: 

Although Zomato didn’t reply to our email, the company has acknowledged the breach in their latest blog post. This confirms that HackRead.com’s exclusive findings and the hacker’s claims are legitimate. Here’s a full preview of the blog post published by Zomato 7 hours ago:

Over 120 million users visit Zomato every month. What binds all of these varied individuals is the desire to enjoy the best a city has to offer, in terms of food. When Zomato users trust us with their personal information, they naturally expect the information to be safeguarded. And that’s something we do diligently, without fail. We take cybersecurity very seriously – if you’ve been a regular at Zomato for years, you’d agree.

The reason you’re reading this blog post is because of a recent discovery by our security team – about 17 million user records from our database were stolen. The stolen information has user email addresses and hashed passwords.

We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text. We, however, strongly advise you to change your password for any other services where you are using the same password.

Important note – payment-related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault. No payment information or credit card data has been stolen/leaked.

As a precaution, we have reset the passwords for all affected users and logged them out of the app and website. Our team is actively scanning all possible breach vectors and closing any gaps in our environment. So far, it looks like an internal (human) security breach – some employee’s development account got compromised.

How can this stolen information be misused?

Since we have reset the passwords for all affected users and logged them out of the app and website, your Zomato account is secure. Your credit card information on Zomato is fully secure, so there’s nothing to worry about there.

[wp_ad_camp_1

What next?

Over the next couple of days and weeks, we’ll be actively working to plug any more security gaps that we find in our systems.

We’ll be further enhancing security measures for all user information stored within our database

A layer of the authorization will be added for internal teams having access to this data to avoid the possibility of any human breach.

We regret any disruption this may cause and appreciate your immediate attention to this information. If you have queries/concerns, please do not hesitate to contact our security team by sending an email directly to [email protected] and we’ll reach out to you right away.

Did you enjoy reading this article? Don’t forget to like our page on Facebook and follow us on Twitter

Total
2
Shares
Related Posts