Zomato Data Breach

Earlier today, our security team discovered that user emails and hashed passwords were stolen from our database. Since then, we have taken multiple steps to mitigate the situation. One of these steps was to open a line of communication with the hacker who had put the user data up for sale.

The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers.

We are introducing a bug bounty program on Hackerone very soon. With that assurance, the hacker has in turn agreed to destroy all copies of the stolen data and take the data off the dark web marketplace. The marketplace link which was being used to sell the data on the dark web is no longer available.

This incident has made our team’s commitment to addressing all our security issues in a responsible and timely manner even stronger. We look forward to working more closely with the ethical hacker community, to make Zomato a safer place for our users.

Having said that, we are going to be cautious and paranoid, as this is a sensitive matter. 6.6 million users had password hashes in the ‘leaked’ data, which can be theoretically decrypted using brute force algorithms. We will be reaching out to these users to get them to update their password on all services where they might have used the same password.

Please note that only 5 data points were exposed - user IDs, Names, Usernames, Email addresses, and Password Hashes with salt. No other information was exposed to anyone (we have a copy of the ‘leaked’ database with us). Your payment information is absolutely safe, and there’s no need to panic.

–

The hacker also gave us all the details on the way he/she got access to this database. We will post this information on our blog once we close the loopholes, so that others can learn from our mistakes.

Click to expand...

[Update] 60% of our users use third party OAuth services (i.e. Google and Facebook) for logging in to Zomato. We don’t have any passwords for these accounts - therefore, these users are at zero risk - both within Zomato, as well as on Google and Facebook (and any other services where the same Google/Facebook ID is being used to log in). For all our other users, as a safety measure, we strongly advise changing your passwords on other services where you might have used the same password as Zomato - we are also sending emails to such users prompting them to do the same as we speak.

Click to expand...

Hello!

We are writing to inform you about a recent security incidence that involves your Zomato account information. While we have taken appropriate measures to limit the impact this has for you, we recommend that you please go through the below details to understand what happened, and how it affects you.

In summary:
Your Name and Email Address was exposed. No other personal details were accessed.
Your Payment information is completely safe

What happened?

On the 17th of May, our team discovered an unauthorized access to a part of our infrastructure that led to exposing the Names and Email addresses of close to 17 million users, as well as hashed passwords for some of these users from our database. We have since patched the vulnerability that resulted in this breach. We also got in contact with the person who accessed this information. The exposed data has not been made public.


How this impacts you?

Your Name and Email Address was exposed in the breach. These are the only pieces of your personal data that was exposed. No other personal information was accessed.
Your payment information is completely secure. All payment data is stored separately in a highly secure PCI DSS compliant vault. This data was not exposed.

What are we doing about this?

We have since patched the vulnerability that led to this breach and have got the exposed data set delisted from public domain. As of now, we're actively working with cyber security experts to ensure all our systems are secure. Additionally, we are undertaking following steps -

We're reaching out to all affected users like you to communicate the impact of the breach.
As a precautionary measure to ensure extra security, we'll be changing all authentication credentials in our system. This should not have any impact on you.
We're changing our encryption algorithms to make it even more harder for someone to guess match passwords from the stored hash.
We're adding safeguards to prevent any such incidents in the future.

What can you do to improve your security online?

Make sure you're using a strong password that is unique to each service. In a lot of cases attackers would try the email password combination from leaked databases on other services. Using a password manager can help you use strong password and free you from having to remember the passwords.
Services like LeakBase and HaveIBeenPawnd let you check if your data was involved in any security breaches. If you find your details on these services, you should change your passwords immediately.


While we apologize for the inconvenience, we assure you that this incident has made our team's commitment to making Zomato a safer place for our users even stronger. We are constantly working to protect your information and privacy.

If you have any questions or concerns around the incident, please do reach out to us at support@zomato.com.


Gunjan Patidar
Chief Technology Officer
Zomato

Click to expand...