17 million Zomato accounts for sale following breach

Popular restaurant search and discovery service Zomato has suffered a breach, and the attackers made off with 17 million user records.

Zomato breach

What data was compromised?

These records include users’ email address and hashed passwords (“one-way hashing algorithm, with multiple hashing iterations and individual salt per password), but no payment card information.

It’s not easy – but also not impossible – for malicious individuals to convert the hashed passwords back into plaintext, the company admitted, so users are advised to change their password for any other services where they used the same password.

Their Zomato accounts are safe, though, the company says, as they’ve reset the passwords for all affected users and logged them out of the app and website.

They’ve also pointed out that passwords of some 60% of users who use third party OAuth services (i.e. Google and Facebook) for logging into Zomato are definitely safe, as they are not stored by the company.

How did the Zomato breach happen?

“Our team is actively scanning all possible breach vectors and closing any gaps in our environment. So far, it looks like an internal (human) security breach – some employee’s development account got compromised,” the company explained, and said that they will implement additional measures to enhancing database security measures, as well as add a layer of authorisation for internal teams having access to this data to avoid the possibility of any human breach.

According to HackRead, the stolen user records are currently being offered for sale on a popular Dark Web marketplace, for around $1,000 (in bitcoin).

“So-called ‘Foodies” are a massive and growing online community, making them a lucrative and unsuspecting target for cybercriminals looking to steal personal data,” noted Matt Walmsley, EMEA Director, Vectra Networks.

“Food review and discussion forums hold a fair amount of personal data. It is not uncommon for them to also hold payment details, used to simplify ticket ordering for events and reservations for tables at top restaurants. While Zomato is adamant that payment data has not been compromised, it is concerning that email addresses along with hashed passwords have been.”

Resetting user passwords as soon as they became aware of the breach was a great move from Zomato – hopefully not many accounts were ultimately compromised.

The fact that this breach was publicly disclosed and users notified should help them keep safe from potential spear-phishing emails and social engineering tricks using the compromised information.

“It’s unclear just how long ago this data was accessed and stolen by the attacker. However, with an insider breach being reported, it’s likely that traditional perimeter defences were unable to spot or stop them. A lack of visibility across its internal systems has clearly contributed to this breach, and to the vagueness about when it took place. It also escalates the impact of the breach, as it will be hard for users to confirm how far back they need to check other accounts and services that might share the same or similar login credentials,” Walmsley noted.

“Not for the first time in the last year, we see here how poor visibility and lack of identification of active threats inside the network is allowing acts of cybercrime to occur ‘under the radar’. It is why organisations need to take more steps to automate their ability to monitor, detect and act on intrusions and suspicious network behaviour in as close to real time as possible.”

UPDATE (May 22, 2017): Zomato has managed to get in contact with the attacker, and he/she agreed to destroy all copies of the stolen data and take the data off the dark web marketplace. In return, the company acknowledged the security vulnerabilities in their system and will work with the ethical hacker community to plug the security gaps.

The company has promised to set up a bug bounty program on HackerOne, and to soon share more details on the way he/she got access to the user database. “We will post this information on our blog once we close the loopholes, so that others can learn from our mistakes,” they noted.