Zomato faced a major security breach yesterday, wherein it was reported that at least 17 million email addresses and passwords were stolen by a hacker. The web-based company has now confirmed that it has made contact with the hacker and agreed to meet their certain demands in exchange for stolen data being removed from the dark web.
MD5 with a 2 char hex salt – WTF?! "Restaurant App Zomato Says Your Stolen Password Is Fine. But Is It?" https://t.co/2NBTnAdosF
— Troy Hunt (@troyhunt) May 18, 2017
Yesterday, the India-based company had said that 60 percent of the accounts were logins from third parties such as Facebook, so their accounts were perfectly safe. It also said that since the payments were also made from third parties, the payment details were also safe.
The alleged hacker gave some samples of data to Motherboard confirming that Zomato was using an outdated algorithm to hash its customer’s passwords.
The hacker had also warned the company about the loophole about a year ago, but Zomato refused to respond to it.
Zomato’s chief technologist, Gunja Patidar said, “He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps… His/her key request was that we run a healthy bug bounty program for security researchers.”
Zomato has agreed to this request. Despite having an active profile on HackerOne, the company had failed to provide any incentives to the ethical hacker community.
The link to the data has been removed from the dark web but one can not be sure of the data being completely removed from the platform. From the events so far, it is not hard to believe that this could be the work of a genuine ethical hacker. So it is likely that the data is no longer available on the dark web.