Mumbai: Zomato exposed to a major security breach with around 17 million user records being stolen from its database. The company currently has a base of 120 million users and had admitted to the hack on Thursday.
According to the company, usernames and hashed passwords were stolen by the attackers – the fact that the passwords were encrypted means that they will be harder to access, but such troves of data do eventually get cracked, so a sensible move would be to change your Zomato password right away, and also to change it on any site where you use the same passwords.
Coming back to Zomato, the company disclosed the attack in a blog post, where it also mentioned that all payment data is stored separately from the stolen data, and that no payment information or credit card data has been stolen.
In a mailed statement, the company added that All payment information on Zomato is stored in a highly secure PCI Data Security Standard (DSS) compliant vault. It added: “We can also confirm that we have found no evidence whatsoever of any of Zomato’s other systems or products being affected.”
This is not the first time that Zomato has been targeted in a hacking attack. In 2015, the company was hacked by a white hat hacker who reported the details to Zomato, which addressed the weaknesses, according to reports. This time however, a report says that the stolen usernames and passwords are being sold online.
On the blog, Zomato mentions that it has reset passwords for all affected users, and logged them out of the app and website. According to Zomato, it is now investigating the breach to close gaps, and it noted that this looks like an internal security breach. Either the account of an employee has been stolen, or these accounts were stolen by an employee.
Zomato reassured users that accounts have been secured, and payment information was saved separately, so there’s no cause for concern, but this incident does highlight how much of our data is remains exposed to companies; from our real names and address to our payments data, and if this was in fact an employee who stole the data, then it’s even more important that companies clearly declare what user data is visible to their staffs and doubts the internal transperancy.