Yesterday, Zomato, a food ordering and restaurant finding company, announced security breach of more than 17 million accounts, via their official blog.
With ransomware attacks on an all time high, this was a catastrophic event in the history of the company which has also taught them a meaningful lesson as the company plans to mitigate future attacks.
“We are introducing a bug bounty program on Hackerone very soon”, continued Patidar.
To ensure that no further damage is caused, Zomato has said it has reset the passwords for all the affected users and has logged them out of its app and website. He/she wanted the company to work with the ethical hacker community to fill the gaps amidst the system and make it a safer place for users.
According to Zomato‚ the person behind the hack came forward and told them exactly how they did it‚ and agreed to delete the data in exchange for the company setting up a bounty programme for security researchers.
Though Zomato had sought to assure the affected users that their passwords could not easily be decrypted, it seems that was not necessarily the case, with some security experts claiming they were able to decrypt some passwords relatively quickly and others pouring scorn on Zomato’s cryptographic efforts. On credit and debit card data, Zomato says this is “stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault”.
A report on an online hacker news website carried in local media said the trove of personal data was being auctioned on the dark web for roughly $1,000 by a hacker using an alias. “This means your password can not be easily converted back to plain text”.
Total 120 million users had in the country.The company stated that this is the second major breach of its system in the past two years.
“Since this was an ethical disclosure on Anand’s part, it did not have to be reported to the users”, Zomato responded when asked about the previous breach. Thankfully, credit card information was not stolen. Aside from these, no other information has been exposed, and the privacy of the members’ payment information has remained intact. “Your payment information is absolutely safe and there’s no need to panic”, Zomato said in a statement.
Zomato will also publish details about how the hacker got in once the holes have been plugged.
Zomato said in its earlier blog that it’s applied an “individual salt per password” before encrypting it.