Zomato has stated in an official blog post that 1.7 Crore user accounts have been hacked from their database.
Not only that, the perpetrator of this hack seems to have put this hacked user database for sale on Dark Web Marketplace. According to Hackread.com, a Dark Web vendor by the name of “nclay” has claimed to have hacked Zomato. It is now willing to sell data pertaining to 17 million registered users on a popular Dark Web marketplace.
The site has also shown a screenshot of user data listing \priced at just a USD 1000!
Many linked the attack to the Wanna Cry Ransomware, but to clear out, this attack is not a ransomware attack, but here the data was stolen from Zomato’s database.
What was Stolen?
The report which was released by Zomato on their blog, they claimed only user records were stolen, which included email ids and hashed passwords, but does not include any kind of credit card or banking details, or any kind of banking related information.
Payment related information is stored in the PCI Data Security Standard, which is a more secure vault, and the hackers could not hack that data.
What to do now?
There nothing much for you to do. Don’t start uninstalling Zomato App or start any #BanZomato Campaign just yet. Zomato needs to make sure that the data does get sold. In worst case scenario that it does, you will need to change your password and your mail might start getting a barrage of spam emails!
What can Hackers Do With the Data?
The hackers/buyers of the data of the users will take the help of hashing passwords which can reveal the actual password, i.e will transform the original password into some incoherent number of characters, which would bring down other factors like having them convert into actual ones.
There is a clear possibility that they will be converting the hashed password into the original ones, as the rehashing process can easily convert back the hashed passwords into plain data.
Though in the whole process, this theory of the original password will be still on the safer side. Even in the blog, Zomato has mentioned that the users should better change their existing Zomato password or of any other Zomato related services. Luckily no payment related information was hacked, hackers cannot do anything on that front!
How the Data got Hacked?
In the blog released by Zomato, it claimed that it was an erroneous attribution, which was manual and not technical. It is a human error which caused the security breach, and the data development account got compromised.
Now Zomato will plug into working on their security base and will try to fill in the gaps in their cyber security vaults and promised to make their systems more secure.
Zomato even assured that they will be including an additional layer of security over the authority process for the registration. Even the internal teams having access to user data will be assessed, so that there is no possibility of any kind of security breach in the future.