Food tech company Zomato has been hacked in a security breach which leaked over 17 million user records.
The stolen data includes user email addresses and password hashes. A hacker, known as ‘nclay’, claims to have hacked Zomato and stated that he was looking to sell the data across the Dark Web.
The cybercriminal set the price for the whole package of data at $1,001.43 (approx. £770), and published snippets of the stolen records in order to prove their legitimacy.
As the leaked passwords are hashed, or scrambled into incoherent characters, the chances of converting these into plain text are very slim. Zomato passwords, belonging to its 120 million users, are also thought to be salted, meaning that the characters are added at random before being hashed – so the codes remain incomprehensible even if the hash is translated.
Despite these security measures, Zomato is advising users to change their password if used for other online services. As a precaution, the firm has also reset all the passwords of the affected users and has logged them out of the app and website.
The company noted in a statement that no payment or credit card data had been stolen –’Payment related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault.’
In the blog post, Zomato has admitted that human error was the cause of the breach, describing an incident in which an employee’s development account was compromised. ‘Our team is actively scanning all possible breach vectors and closing any gaps in our environment,’ it said.
Over the next few weeks, the company noted that it will be working to further enhance security measures for all user information stored in its database. It added that a layer of authorisation will also be implemented for internal teams to avoid the possibility of human error.