Restaurant search website Zomato has announced that it has suffered a major security breach, resulting in the theft of a user database containing 17 million users’ names, email addresses and passwords.
The news comes as it is reported that a hacker calling themselves “nclay” is claiming to offer the database for sale on the dark web.
In a notice published on its blog, Zomato explained that it had logged all users out of its website and app, and was resetting all user passwords as a precaution.
Initially the company merely said that hashed passwords stored in the hacked database “cannot be converted/decrypted back to plain text”, although after criticism from computer security professionals – this was revised, and a change made to “cannot be easily converted back to plain text.”
Although it’s good news to hear that no payment card information has been accessed by the hackers, a serious security breach has clearly occurred.
Many people will have used the same weak password for their Zomato account as on other websites, meaning that if the hackers are able to crack a user’s credentials they could use that information to break into other online accounts. If you are in the habit of reusing passwords across the internet that’s a habit you really need to get out of now.
Furthermore, the hackers now know the email addresses of 17 million innocent foodies. That information could be used for future attacks – such as spam, phishing, or malware. The more an attacker knows about you (they know you’re into restaurant nightlife, and were a member of Zomato at the very least) the more convincing they can make their attack.
Interestingly, Zomato says that it believes the hackers gained access to its user database after a staff member’s development account was compromised. This suggests that the company was not properly authenticating employee access to its servers (via a method such as two-factor authentication, or limiting the range of IP addresses allowed to connected to internal systems).
Hopefully that’s a lesson that the company will learn quickly as it reviews its security in the coming days and weeks.
Concerned users are advised to contact Zomato’s support team at firstname.lastname@example.org with any questions.
Which of the following types of attacks are you most concerned about in 2017?
— Tripwire, Inc. (@TripwireInc) May 18, 2017