Zomato hacked, 17 million user records stolen
Restaurant search and discovery service Zomato announced that it was recently hacked, with 17 million user records stolen from their database.
According to Zomato, the stolen information contains user IDs, Names, Usernames, Email addresses, and Password Hashes with salt. In an updated post, Zomato said that 60% of their users use third party OAuth services (i.e. Google and Facebook) for logging in to Zomato, therefore the company doesn’t have passwords for these accounts and are considered “zero risk” – both within Zomato, Facebook, and Google.
Although Zomato said that the passwords stolen were hashed (using a one-way hashing algorithm, with multiple hashing iterations and individual salt per password), meaning the passwords cannot be easily converted back to plain text, they strongly advise users to change their passwords on other services where you might have used the same password as Zomato. Zomato has also reset the passwords for all affected users and logged them out of the app and website.
Zomato has now plugged the exploited vulnerabilities in their systems and will be further enhancing their security measures. The company has also announced that they are introducing a bug bounty program on Hackerone very soon.