Zomato’s issued an update regarding its ongoing security crisis in which over 17 million user accounts were stolen from its database and being sold on the dark web. It’s apparently gotten in touch with the hacker who put the information up for sale.
Surprisingly enough, Zomato claims the hacker has been very cooperative. They basically wanted the company to acknowledge the security vulnerabilities which were rampant in its system and work with the ethical hacker community to close the holes.
The attacker went as far as to ask Zomato to run a robust bug bounty program for security researchers. The brand in fact already has one on Hackerone, but does not offer any monetary incentives. Instead of money, it promises Hall of Fame recognition and a certificate of acknowledgement.
This might change soon since Zomato has now announced that it’s going to introduce a new bug bounty program on Hackerone soon. It didn’t specifically state whether it would start offering cash now, but this seems more than likely.
Zomato’s pledge appears to have been enough for the hacker since they apparently agreed to destroy all copies of the data and remove it from the dark web. They even shared how the breach happened in the first place. The firm plans to publicly share this once it’s taken care of the loopholes.
Out of the 17 million users affected, 6.6 million had password hashes in the stolen data which can be decrypted using brute force algorithms. Zomato is now getting in touch with the latter group and asking them to update their password on all other services where they used the same key.