Unveiling a major security breach, popular food ordering app Zomato said on Thursday that the records of around 17 million or 1.7 crore of its 120-million subscribers have been stolen from its database.
The stolen information has user email addresses and hashed passwords, the company said in a blog post. While the hashed passwords are encrypted, and thus harder to access, there is no guarantee that they won’t eventually get cracked.
The company has also advised its customers to change their passwords if they use the same set at other places too.
The company has further clarified that payment related information on Zomato is stored separately from in a highly secure PCI Data Security Standard (DSS) compliant vault. “No payment information or credit card data has been stolen/leaked. Your credit card information on Zomato is fully secure, so there’s nothing to worry about there,” it said.
“As a precaution, we have reset the passwords for all affected users and logged them out of the app and website. Our team is actively scanning all possible breach vectors and closing any gaps in our environment. So far, it looks like an internal (human) security breach - some employee’s development account got compromised,” it added.
The company has said that going forward, it will be adding another level of authorization for internal teams having access to this data to avoid the possibility of any human breach.
While the company has assured users that it is taking all possible measures, a report says that the stolen usernames and passwords are being sold online.
HackRead reported that a dark web vendor going by the pseudonym "nclay" has claimed responsibility for the hack.
As per the report, the vendor publicly shared a sample of the trove of stolen data. HackRead said that a test of the sample data showed that every account mentioned on the list existed on Zomato and that the data came from registered Zomato users.