India’s popular food ordering website Zomato suffers a security breach. 17 million Zomato users email and encrypted passwords are up for sale on Dark Web for USD 1001.45. It was not confirmed whether Zomato was hacked or the data was obtained by some other means.
The vendor also shared a sample data to prove that the date is legit. You can check the screenshot of the listing.
Up to 50% off - SpeakersUp to 60% off - Speakers on Amazon sale
A person from HackRead downloaded the sample and tried to test it on Zomato. Yes, the data was legit and these emails belong to users of Zomato.
Before we could contact Zomato, the company has issued a security notice and confirmed that payment information of users is safe. Zomato separately keeps the payment information in highly secure PCI Data Security Standard (DSS) compliant vault.
The company has also reset the passwords for all affected users and logged them out of website and app. Zomato also promised to monitor the activity on the server to see if there is any illegal activity on its food ordering platform.
Even if Zomato claims that “hashed password cannot be converted/decrypted back to plain text”, we already know that MD5 is not very hard to crack. There are lots of tools that can brute force to reveal the plaintext out of encrypted MD5 string.
So, we encourage all users to change your password and keep a new one that is hard to guess. The harder your password is, the harder it is to break.
Zomato didn’t comment on how this information was stolen. They see it as an internal (human) security breach and suspect that employee’s development account got compromised.
Source: Hack Read