Zomato reports 17 million user records stolen from database

E-commerce giant Zomato reported a security breach resulting in the theft of 17 million email addresses and ‘hashed’ passwords.

While the world battles with ransomware “WannaCry,” Indian tech-food company, Zomato today lost its own battle to a security breach. Earlier today, Gunjan Patidar, Chief Technocrat at Zomato, revealed that the company’s security team has discovered that 17 million user records have been stolen from the company’s database.

On the company’s blog, Patidar wrote that the stolen data contains email addresses and ‘hashed’ passwords, but no payment related data. Zomato stores all payment data separately in “a highly secure PCI Data Security Standard (DSS) compliant vault,” he wrote.

News platform, HackRead claimed that a certain user by the name “nclay” is claiming to be responsible for the breach and has posted an advertisement on a popular Dark Web marketplace, with the intention of selling this data.

“Our team is actively scanning all possible breach vectors and closing any gaps in our environment. So far, it looks like an internal (human) security breach - some employee’s development account got compromised,” wrote Patidar.

As an added security measure, the company has reset all the passwords of the affected users and have logged them out of its sites and application.

The blog also announced that Zomato will be enhancing and focusing on its security measures, while a layer of authorization will soon be added for the employees who have access to data like this.

In an added update to the blog, Patidar said, “Almost 60 percent of our users use third party OAuth services (i.e. Google and Facebook) for logging in to Zomato. We don’t have any passwords for these accounts - therefore, these users are at zero risk.”

In a scenario where companies usually shy away from reporting security breaches and hacks, Zomato’s full disclosure is a big step towards transparency which is a need in the current time.

It’s only May, and we have already had WannaCry crippling over 200,000 machines, and a data theft of 17 million users. What's next?