News

17 million users' data stolen from Zomato, company says passwords and bank details safe

The blog announced that credit card and debit card information of users has not been compromised.
17 million users' data stolen from Zomato, company says passwords and bank details safe
17 million users' data stolen from Zomato, company says passwords and bank details safe
Written by:
TNM Staff

If you're on Zomato, and if your Zomato is linked to your Facebook account, it's time to change your password. Zomato on Thursday announced on their blog that info of 17 million users - including their user IDs and hashed passwords - have been compromised. 

As per the latest update, the data is now being sold on a popular Dark Web marketplace.

According to information shared on Hackeread.com, a user by the name of "nclay" claimed to have hacked Zomato.

"The database includes emails and password hashes of registered Zomato users while the price set for the whole package is USD 1,001.43 (BTC 0.5587). The vendor also shared a trove of sample data to prove that the data is legit," the report said.

"The data was stolen this month and this year in May 2017," the hacker told HackRead.

The blog announced that while credit card and debit card information of users has not been compromised, they did advice users to change their passwords for any other services for which they're using the same password.
 
"The reason you’re reading this blog post is because of a recent discovery by our security team - about 17 million user records from our database were stolen. The stolen information has user email addresses and hashed passwords," the blog by Gunjan Patidar, the Chief Technology Officer of Zomato, said.
It further said:
"The hashed password cannot be converted/decrypted back to plain text - so the sanctity of your password is intact in case you use the same password for other services. But if you are paranoid about security like us, we encourage you to change your password for any other services where you are using the same password.
 
"Important note - payment related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault. No payment information or credit card data has been stolen/leaked.
The CTO of Zomato also noted that the breach may have been on account of an employee's development account getting compromised. 
"As a precaution, we have reset the passwords for all affected users and logged them out of the app and website. Our team is actively scanning all possible breach vectors and closing any gaps in our environment. So far, it looks like an internal (human) security breach - some employee’s development account got compromised."

Zomato also said that they were working to plug any more security gaps. 

"Over the next couple of days and weeks, we’ll be actively working to plug any more security gaps that we find in our systems. We’ll be further enhancing security measures for all user information stored within our database. A layer of authorisation will be added for internal teams having access to this data to avoid the possibility of any human breach."

(With IANS inputs)

Security
Technology
Blog
Environment
Discovery
Cyber Security

Related Stories

No stories found.
The News Minute
www.thenewsminute.com