Zomato, Indian's largest restaurant search and discovery service, has suffered a security breach, compromising account information of 17 million users. The incident was first reported by a security blog called Hackread, which said a vendor going by the online handle of "nclay" had claimed to have hacked Zomato and sold the stolen data on the dark web.
The database, which includes emails and password hashes of registered Zomato users, is up for grab with a price tag of $1,001.43 (BTC 0.5587), according to the blog post. BTC stands for Bitcoin, a form of digital currency, created and held electronically.
"The vendor also shared a trove of sample data to prove that the data is legit... We tried to send a password reset email to some of the email addresses in the data which further revealed that they are registered with Zomato," the blog post said.
Meanwhile, Zomato confirmed the data breach to International Business Times, India. The company said it was apparently an internal security breach, affecting the "development account" of one of its employees.
"Recently, our security team has discovered an incident that may have resulted in unauthorized access to account information (including name, email address and hashed password) for 17 million users on Zomato," the company said, adding that its internal security investigation found no evidence of unlawful access to financial information.
"All payment information on Zomato is stored in a highly secure PCI Data Security Standard (DSS) compliant vault - no payment information or credit card data has been leaked," according to the company.
Although the hacker managed to access names and email addresses of users, the passwords are still secure as they are "hashed and salted," Zomato said.
Hashing is a method that converts a variable-length password into a cryptic, fixed-length password, which cannot be converted back to the original one.
"The hashed password cannot be converted/decrypted back to plain text - so the sanctity of your password is intact in case you use the same password for other services," the company said in a blog post, while urging users to use different passwords for different services.
Zomato has also reset the passwords for all affected users and logged them out of the app and the website as a precautionary measure.
"We'll be further enhancing security measures for all user information stored within our database. A layer of authorisation will be added for internal teams having access to this data to avoid the possibility of any human breach," the company said.
This is not the first time Zomato had suffered a security issue. In 2015, an Indian ethical hacker Anand Prakash discovered a critical security flaw in Zomato's data recall system, before informing the company about the same.
