In a massive security breach, 17 million user records from Zomato were stolen. India's largest online food guide app on Thursday admitted that usernames and hashed passwords were stolen by the attackers. The company has asked users to change their passwords right away.
"The hashed passwords cannot be converted/decrypted back to plain text - so the sanctity of your password is intact in case you use the same password for other services. But if you are paranoid about security like us, we encourage you to change your password for any other services where you are using the same password," the blog said. An important note put out by Zomato read, "Payment related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault. No payment information or credit card data has been stolen/leaked."
The food guide giant maintained that all payment data is stored separately from the stolen data and that no payment information or credit card data has been stolen. In a statement that was sent through e-mails, the company added that "All payment information on Zomato is stored in a highly secure PCI Data Security Standard (DSS) compliant vault". "We can also confirm that we have found no evidence whatsoever of any of Zomato's other systems or products being affected," the statement read.
This would not be the first time that Zomato has been targetted by hackers. In 2015, the company's site was hacked and the hacker reported the details to Zomato, which addressed the weaknesses. Data including passwords and usernames that has been stolen from the company's database this time around, reports suggests, is being sold online. Hackers are selling the data for fixed prices on the dark net.
Zomato in its blog has mentioned that it has reset passwords for all affected users and logged them out of the app and website. Investigations are underway to identify the breach to close gaps. The company claimed that it looked like an internal breach and either an employees details were stolen or an employee caused the security breach.
Zomato reassured its users that accounts have been secured and that the payment information was saved separately, reiterating that there was no need for concern. "Over the next couple of days, we'll be actively working to improve our security systems - we'll be further enhancing security measures for all user information stored within our database, and will also add a layer of authorization for internal teams having access to this data to avoid any human breach," Zomato stated.