The India-based restaurant review web site Zomato revealed on 18 May 2017 that it had been the victim of a cyber attack compromising data for millions of users.
Zomato founder Deepinder Goyal and chief technology officer, Gunjan Patidar, detailed the nature of the attack in a blog post on 23 May 2017:
The data downloaded as a result of this breach contained five data points for 17 million users - names, emails, numeric user IDs, usernames, and password hashes. The password hashes leak was a little more contained and impacted a subset of 6.6 million users - all the other users were using Facebook/Google for login - we don’t have any password information for those accounts.
Five days earlier, Patidar said in another post that users' credit card and payment information had not been affected by the data breach.
The party responsible for the attack said in an interview that they reported a "vulnerability in the company's infrastructure" to Zomato after discovering it in 2016 but did not get the response, saying, "It does not justify the pain I caused to them, but it is a reason."
The hacker also reportedly posted the data for sale on a "dark web" site, alongside a sample of around 50 accounts. The tech blog Motherboard confirmed that the data was likely legitimately connected to Zomato users, since it could not create new accounts on the site using the email addresses listed on the sample.
According to Goyal and Patidar, the hacker grabbed information belonging to a developer that was leaked online as a result of a separate breach against the Lithuanian company 000WebHost in October 2015.
But Patidar later described the hacker as "very cooperative":
He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers.
According to Patidar, the hacker agreed to "destroy all copies of the stolen data and take the data off the dark web marketplace" in exchange for Zomato introducing a "bug bounty program," through which it can reward users who point out security vulnerabilities in their website. He and Gupta also said that they would collaborate with other Indian online companies on improving their security capabilities.