Zomato App – 17 Million User Records Stolen, Listed on Dark Web

Zomato, a restaurant search and discovery application which serves tens of millions of users on a daily basis, was hacked this past week. More than 17 million user records were stolen and listed on the dark web.

In a strange turn of events, it appears as if Zomato bought the details of its users back from the dark web as the hacker was paid by Zomato to take the listing of its client data from the dark web. Essentially, the Zomato team paid off the hacker who listed the data of Zomato’s 17 million users on the dark web to ensure that sensitive information of their clients remain safe.

In an official company blog post, the Zomato security team explained that its database was hacked by an ethical hacker who wanted to receive bounty for exploiting vulnerabilities within Zomato’s platform. According to Zomato, the initial aim of the hacker wasn’t to extract ransom out of the company nor to make profit off dark web sales. The hacker was cooperative with the company in implementing necessary security measures and ensuring that user data of Zomato remains safe.

“Earlier today, our security team discovered that user emails and hashed passwords were stolen from our database. Since then, we have taken multiple steps to mitigate the situation. One of these steps was to open a line of communication with the hacker who had put the user data up for sale. The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers,” said Zomato in a blog post.

Although bug bounties are offered frequently in the industries of bitcoin and blockchain wherein software and platforms are meant to be immutable and decentralized, a small number of companies within the technology sector offer bounties to ethical hackers to ensure necessary security measures are integrated.

For user security and overall platform protection from potential security breaches and hacking attacks, the Zomato team announced that a bug bounty program on Hackerone will be introduced to incentivize ethical hackers like the anonymous individual who hacked into the database of Zomato this past week. With an assurance from the Zomato team, the hacker agreed to destroy remaining copies of the stolen data of 17 million users and comply with the requests of Zomato.

Users who may have had their accounts hacked were relieved when Zomato clarified that none of their financial information was leaked. Only five data points including user IDs, names, usernames, email addresses and password hashes were exploited. But, these points can be altered and changed by users again, which Zomato recommended in its blog post.

“6.6 million users had password hashes in the ‘leaked’ data, which can be theoretically decrypted using brute force algorithms. We will be reaching out to these users to get them to update their password on all services where they might have used the same password,” said Zomato.

It still remains unclear what would have happened if a buyer reached out to the seller of the information of Zomato’s 17 million users. Ultimately, it was a responsible approach from the Zomato security team to first ensure the safety of its users and protect the platform from future attacks and breaches.