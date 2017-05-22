CLAIM

The restaurant review website Zomato suffered an attack that compromised 17 million users' data

MOSTLY TRUE

RATING

MOSTLY TRUE

WHAT'S TRUE

The Zomato web site was hacked and user data was exposed.

WHAT'S FALSE

The company now estimates that 6.6 million users -- not 17 million -- were affected.

ORIGIN

The India-based restaurant review web site Zomato revealed on 18 May 2017 that it had been the victim of a cyber attack compromising data for millions of users.

The company’s chief technology officer, Gunjan Patidar, said in a blog post:

The reason you’re reading this blog post is because of a recent discovery by our security team – about 17 million user records from our database were stolen. The stolen information has user email addresses and hashed passwords. We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text. We however, strongly advise you to change your password for any other services where you are using the same password.

He added that users’ credit card and payment information had not been affected by the data breach. Patidar later updated the post to state that 60 percent of Zomato users were safe from the attack because they logged into the site through Google and Facebook, meaning that those passwords were never stored by the company.

The party responsible for the attack said in an interview that they reported a “vulnerability in the company’s infrastructure” to Zomato after discovering it in 2016 but did not get the response, saying, “It does not justify the pain I caused to them, but it is a reason.”

The hacker also reportedly posted the data for sale on a “dark web” site, alongside a sample of around 50 accounts. The tech blog Motherboard confirmed that the data was likely legitimately connected to Zomato users, since it could not create new accounts on the site using the email addresses listed on the sample.

In a separate post, Patidar said that password information for 6.6 million users was in danger of being exposed through “brute force algorithms.” He also said that Zomato managed to contact the hacker, who he described as “very cooperative”:

He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers.

According to Patidar, the hacker agreed to “destroy all copies of the stolen data and take the data off the dark web marketplace” in exchange for Zomato introducing a “bug bounty program,” through which it can reward users who point out security vulnerabilities in their website.

We contacted Zomato founder Deepinder Goyal seeking further comment. He has yet to respond.