Zomato has gotten a hacked in a major security breach involving the theft of over 17 million user accounts. Worryingly, it appears the stolen data is now listed for sale on the dark web by a vendor named nclay.
Zomato has confirmed the robbery in a blog post, stating that the information includes names, email addresses and hashed passwords. It claims the last cannot be converted or decrypted back to plain text. It’s now advising people who use the same passcode for multiple services to change it on those platforms. As an extra precaution, it’s also best to change the key on Zomato itself.
Zomato claims that all payment related information is stored separately from the stolen credentials in a PCI Data Security Standard (DSS) compliant vault. It’s stressing that no payment or credit card data has been stolen or leaked in the hack.
As for how the hack happened in the first place, Zomato says it’s probably an internal breach where an employee’s development account got compromised. HackRead had previously reported that nclay was publicly sharing a sample of the stolen information on the dark web and selling the hoard at $1001.45 (roughly Rs 64460). The sample checked out since every account on the list existed on the platform.
Zomato is now in damage control mode, resetting the passwords for affected users and logging them out of the app and website as a precautionary measure. Its team is apparently working towards plugging any security gaps. It’s also planning to enhance security measures for all users and implement a layer of authorization internally to stop this from happening in the future.