Online restaurant guide and food delivery Zomato admitted to a security breach on Thursday. "About 17 million user records from our database were stolen. The stolen information has user email addresses and hashed passwords," Zomato said in its blog post.
The company went on to assure users that hacked passwords cannot be converted into plain text and hence the password information of registered Zomato users are intact. The company also urged its users to change their passwords just to be on the safe side.
"Payment related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault. No payment information or credit card data has been stolen/leaked," the blog post said.
ADVERTISEMENT
"Since we have reset the passwords for all affected users and logged them out of the app and website, your zomato account is secure.
Zomato has also assured users that its security measures will be enhanced and that an extra authorisation cover will be provided to all internal users to secure the data.
Our special correspondent adds...ADVERTISEMENT
ADVERTISEMENT
However, according to cybersecurity company Lucideus Tech when someone hacks and copies the data of a website, the hacker copies much more than just the email and the password. It said that in most cases it's the same database that is used to store other personal identifiable information (PII) of a user. Lucideus said that Zomato was following a good practice of hashing the passwords before storing it in their database. “But saying 'the hashed password cannot be converted or decrypted back to plain text' is misleading,” said Saket Modi, chief executive and co-founder of Lucideus. He said that technically what Zomato is saying is correct, i.e. a hashed password cannot be decrypted, but what they aren't saying is - it is technically possible to break the hashing algorithm to guess the passwords. Lucideus said that this has happened in the past - over 170 million LinkedIn accounts that were hacked were actually hashed and stored. However, the hashing function used there was the weak cryptographic hash function called SHA-1. Hence almost all the hacked and hashed accounts were broken. Lucideus said that this is the probable reason why Mark Zuckerberg's Twitter and the Pinterest account was also compromised in 2016 as he apparently was using the same password as his LinkedIn account whose password became public after the hack.