When is the last time you’ve changed your password? For most of us, it’s been too long since we’ve changed them to keep our accounts safe, despite the common knowledge that the Internet is not becoming any safer. Case in point, restaurant app Zomato was hacked last week by someone who infiltrated its system and stole 17 million users’ IDs, usernames, names, email addresses, as well as hashed passwords. Out of this number, 6.6 million were subsequently listed for sale on a dark web marketplace.
Zomato has publicly acknowledged the theft via its official website, providing users with full details about the security breach. The company noted that even though their password hashing procedure employs a one-way hashing algorithm with multiple hashing iteration and individual salt-per–password (which means a password can’t be easily converted back to plain text), it is still recommended that users change their password to ensure protection of their private data. The restaurant app admitted that password hashes can be theoretically decrypted using brute force algorithms, so it has taken steps to reset the passwords for all affected users, as well as logging them out of its website and app.
The company said 60% of its users aren’t even at risk of having their information stolen, because they use third-party apps like Facebook and Google to log in. Zomato further assured customers that their payment and credit card data, stored on a different platform, remained untouched and that it has taken steps to further strengthen the security of its database.
Zomato also contacted the hacker, who luckily agreed to pull off the listing from the dark web market place. Subsequently, the hacker requested the company to run a healthy bug bounty program for a security researcher. Magnanimously, the hacker also provided Zomato with the full details on how was the database accessed and agreed to work with the ethical hacker community in order to help the company patch up the breach.
The Indian based startup said that loophole, which allowed the hacker to access its users’ database has been plugged in order to prevent further bleeds. In its official post detailing the issue, Zomato attributed the leak to human error; this employee’s development account was compromised, and it is what appears to be the culprit of this incident, which led to the breach.
In the near future the company will be focusing on adding more security layers and making sure there are no other security gaps in its system. First off, Zomato wants to introduce another level of internal authorization in order to avoid future human errors.
The announcement that one of the world’s largest restaurant and food delivery apps has been hacked, came just a few weeks after the WannaCry attacks, which caused considerable havoc across the globe. The piece of ransomware paralyzed everything from businesses to government entities and personal consumer devices by encrypting computer files on infected machines unless the owner payed a $300 ransom.
The Zomato incident coming a few weeks after WannaCry, just goes to highlight once again how inadequate our existing approach to cybersecurity is, in the face of increasing prevalence of malicious hackers online.