Zomato's 17 million user records hacked

The company also urged its users to change their passwords just to be on the safe side.

May 18, 2017 11:32 am | Updated 11:23 pm IST

Zomato home page

Zomato home page

Online restaurant guide and food delivery Zomato admitted to a security breach on Thursday. "About 17 million user records from our database were stolen. The stolen information has user email addresses and hashed passwords," Zomato said in its blog post.

The company went on to assure users that hacked passwords cannot be converted into plain text and hence the password information of registered Zomato users are intact. The company also urged its users to change their passwords just to be on the safe side.

"Payment related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault. No payment information or credit card data has been stolen/leaked," the blog post said.

"Since we have reset the passwords for all affected users and logged them out of the app and website, your zomato account is secure.   Your credit card information on Zomato is fully secure, so there’s nothing to worry about there."

Zomato has also assured users that its security measures will be enhanced and that an extra authorisation cover will be provided to all internal users to secure the data.

Our special correspondent adds...

However, according to cybersecurity company Lucideus Tech when someone hacks and copies the data of a website, the hacker copies much more than just the email and the password. It said that in most cases it's the same database that is used to store other personal identifiable information (PII) of a user. Lucideus said that Zomato was following a good practice of hashing the passwords before storing it in their database. “But saying 'the hashed password cannot be converted or decrypted back to plain text' is misleading,” said Saket Modi, chief executive and co-founder of Lucideus. He said that technically what Zomato is saying is correct, i.e. a hashed password cannot be decrypted, but what they aren't saying is - it is technically possible to break the hashing algorithm to guess the passwords. Lucideus said that this has happened in the past - over 170 million LinkedIn accounts that were hacked were actually hashed and stored. However, the hashing function used there was the weak cryptographic hash function called SHA-1. Hence almost all the hacked and hashed accounts were broken. Lucideus said that this is the probable reason why Mark Zuckerberg's Twitter and the Pinterest account was also compromised in 2016 as he apparently was using the same password as his LinkedIn account whose password became public after the hack.

0 / 0
Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in

Comments

Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.