Hacker steals 17 million users' data from restaurant app Zomato and puts the details up for sale on the dark web

Details including names, email addresses, user IDs and passwords, were stolen
The data was being auctioned on the dark web for around $1,000 (£770)
Zomato has since been in contact with the attacker who has removed the listing
The the loophole that allowed the exploit to happen has now been plugged

Published: 05:22 EDT, 18 May 2017 | Updated: 06:42 EDT, 19 May 2017

e-mail

View
comments

One of the world's largest restaurant and food delivery apps has been the victim of a hacker who stole the data of 17 million users from its database.

Zomato announced that names, email addresses, user IDs and protected passwords, were stolen during the attack.

The startup said the 'hashed' passwords could not be decrypted but recommended users change their login details if they use the same password for other services.

Restaurant app Zomato (pictured) fell victim to a hack attack which saw the data of 17 million users stolen from its database. The trove of personal data was being auctioned on the dark web for around $1,000 (£770) until yesterday

ZOMATO HACK

Personal data of 17 million Zomato users, including names, email addresses, user IDs and protected passwords, was stolen from its database earlier this week.

The trove of personal data was being auctioned on the dark web for around $1,000 (£770) by a hacker using an alias.

But Zomato has since been in contact with the attacker, who has removed the listing.

And the Indian firm, which boasts 120 million user visits a month, said that the loophole that allowed the exploit to happen has been plugged to prevent any further data leaks.

Zomato's chief technology officer Gunjan Patidar said customers' financial information was stored separately from the stolen data and was not compromised by the hack.

Affected users were logged out of the website and app and had their passwords changed as a precautionary measure in response to the attack, which took place earlier this week.

The trove of personal data was being auctioned on the dark web for around $1,000 (£770) by a hacker using an alias.

But Zomato has since been in contact with the attacker, who has removed the listing.

And the Indian firm, which boasts 120 million user visits a month, said that the loophole that allowed the exploit to happen has been plugged to prevent any further data leaks.

In a statement on the Zomato's website, Mr Patidar said: 'We have taken multiple steps to mitigate the situation.

'One of these steps was to open a line of communication with the hacker who had put the user data up for sale.

'The hacker has been very cooperative with us. They wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps.

'We are introducing a bug bounty program on Hackerone very soon.

'With that assurance, the hacker has in turn agreed to destroy all copies of the stolen data and take the data off the dark web marketplace.'

The hack of the internationally popular e-commerce startup comes on the heels of the 'WannaCry' cyberattack, the world's biggest ransomware attack to date.

Zomato, which boasts 120 million user visits a month, has plugged the loophole that allowed the data breech and enhancing its security measures. The Indian firm has also been in contact with the attacker, who has removed the listing from the dark web (stock image)

The culprits demanded payment in virtual currency and threatened to delete files on compromised computers, which numbered in the hundreds of thousands worldwide.

Zomato said it would further enhance its security measures after the database breach.

The company, a so-called 'unicorn' startup because it is valued at more than $1 billion, was founded in 2008 and it now operates in 23 nations.