Time to change your passwords again !
The reason you’re reading this blog post is because of a recent discovery by our security team – about 17 million user records from our database were stolen. The stolen information has user email addresses and hashed passwords.
We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text. We however, strongly advise you to change your password for any other services where you are using the same password.
Zomato has alot of work to do
According to the Zomato team “6.6 million users had password hashes in the ‘leaked’ data, which can be theoretically decrypted using brute force algorithms.” The Zomato team managed to contact the team of hackers and the data has been pulled off the deep web , this incident is being presented as something along the lines of a teachable moment . Zomato had this to say :
The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers.
We are introducing a bug bounty program on Hackerone very soon. With that assurance, the hacker has in turn agreed to destroy all copies of the stolen data and take the data off the dark web marketplace. The marketplace link which was being used to sell the data on the dark web is no longer available.
Zomato is now trying to increase their security measures to avoid these kind of attacks in the feature . Lets hope they make the correct choices and this never happens again.