Restaurant guide and food delivery service Zomato looks like it is getting off lightly after it suffered a hack that compromised personal information belonging to 6.6 million users.
The India-based company, which offers services in more than 20 countries worldwide, set off alarm bells when it revealed that a hacker had made off with 17 million user records. That, Zomato said, included email addresses and hashed passwords, but not credit card information.
Initially, the stolen information was put up for sale; however, the company later revealed that the hacker had agreed to remove the listing on the condition that Zomato introduce a fully fledged bug bounty program.
Zomato has operated an account on disclosure service Hacker One for more than a year; however, CEO Deepinder Goyal confirmed on Twitter that it would begin compensating hackers with money for their disclosures.
Following the incident, Zomato reset the passwords of all affected users and logged them out of its app and website. It said that 60 percent of its 17 million user records are tied to social log-in via Twitter or Facebook and therefore weren’t impacted by the hack. The company claimed that the passwords that were stolen “cannot be easily converted back to plain text,” but Motherboard and security experts didn’t have issues converting into original passwords a sample of the data provided by the hacker.
Security experts weren’t impressed with Zomato’s security measures.
In this case, there’s no immediate danger as the hacker agreed not to sell the data, but the situation is a reminder that many companies do not have adequate security measures in place to protect users.
That includes big ones. Zomato has been valued at more than $1 billion — though some disagree on that — and it is fair to say that it doesn’t have any excuses for a lax security system because it has raised more than $240 million from investors to date.