Zomato Acknowledges Breach Affecting 17 MillionUsers' Email Addresses, Hashed Passwords Exposed
In a rare acknowledgment of a data breach by an Indian company, online restaurant guide and food ordering service Zomato says 17 million users' email addresses and hashed passwords were stolen from its database. The company has 120 million users.
On late Thursday night, Zomato updated its blog saying it had managed to contact the hacker, who agreed to not only destroy all copies of the data, but also to take the database off the dark web marketplace.
In 2015, Zomato was hacked by a white-hat hacker who reported the details to the company, which addressed the weaknesses.
Zomato says in a statement that it found no evidence of unauthorized access to financial or credit card information. "All payment information on Zomato is stored in a highly secure PCI Data Security Standard compliant vault - no payment information or credit card data has been leaked," the statement read.
But the news site Hackread reported that the stolen usernames and passwords were being offered for sale on the dark web for about $1,000. A vendor going by the pseudonym "nclay" has claimed responsibility for the hack, according to the news report.
Although the exposed passwords were protected by salting and hashing, the company said it reset the passwords of all affected users and logged them out of the system. "We can also confirm that we have found no evidence whatsoever of any of Zomato's other systems or products being affected. Our team is actively scanning all possible breach vectors and closing any gaps in our environment."
The company said it's working to improve its security systems. "We'll be further enhancing security measures for all user information stored within our database, and will also add a layer of authorization for internal teams having access to this data to avoid any human breach," the company reported.
Zomato will also be adding a layer of authorization for internal teams with access to this data.
Good Intentions or Damage Control?
Sriram S, Technology specialist-cybersecurity with a large managed security services organization, hails Zomato's decision to make the breach public. "What they did is commendable. Not many companies in this space from India have done it before," he says.
But some say the move was more of a damage control measure, especially because Zomato just received a USD $20 million infusion of venture capital.
"Ideally, they would not have wanted the information to come out from another source, which would have hampered its future fundraising," says one security practitioner, who asked not to be named. "I wonder if the due diligence [by investors] covers the assessment of the breach resilience or even preventive measures?"
In a blog, Zomato claims that hashed passwords cannot be converted/decrypted back to plain text. The blog does not specify what type of hashing the company used.
"It's misleading to say hashed passwords can't be converted to plain text," says Saket Modi, CEO and co-founder at Lucideus, an IT risk management service provider. For example, passwords hashed using the weak SHA1 algorithm are vulnerable, he points out.
But Sriram argues that the $1,000 asking price for the 17 million user records shows the data stolen doesn't have high value "and the hackers haven't been able to crack the passwords for now."
The Modus Operandi
Although it's unclear how the records were stolen from Zomato's online database, such breaches often target web and mobile applications, security experts say.
Pavan Kushwaha, co-founder and CEO at Kratikal Tech, says that developers inadvertently leave certain loopholes while developing the applications, which can be exploited by skilled hackers. "Common vulnerabilities that tend to be present over such applications include authentication bypass, authorization bypass, SQL injection, forged requests, etc.," Kushwaha says. "Such vulnerabilities allow hackers to access administrator accounts and potentially allow them to download entire database."
In addition, Kushwaha notes that many servers are vulnerable to zero-day exploits because they are not updated regularly. "Hackers use such exploits to directly attack the servers and affect the confidentiality and availability of the data," he says.
Phishing attacks and other social-engineering schemes can also lead to the compromise of credentials, paving the way for theft of data, he says.