Hacker agrees to delete Zomato user data when promised robust bug-bounty programme


Update #2:Zomato has issued another security update, stating that the hacker has agreed to delete the user data and take the listing down. Zomato settled the breach by promising the hacker that there will be a well-funded bug bounty program run on Hackerone, a bug bounty platform.

“The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers.” wrote Gunjan Patidar, Zomato CTO in a blog post posted an hour ago.

“We are introducing a bug bounty program on Hackerone very soon. With that assurance, the hacker has, in turn, agreed to destroy all copies of the stolen data and take the data off the dark web marketplace. The marketplace link which was being used to sell the data on the dark web is no longer available.“

FactorDaily can confirm that the dark web link is down. The post goes on to say that “only 5 data points were exposed – user IDs, Names, Usernames, Email addresses, and Password Hashes with salt.”

Update #1: Zomato has updated its blog post after Troy Hunt, an Australian security expert, questioned its earlier claim that a “hashed password cannot be converted/decrypted back to plain text — so the sanctity of your password is intact in case you use the same password for other services.”

In reply, Gunjan Patidar of Zomato, who had written the earlier blog post, changed this to: “We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text. We however, strongly advise you to change your password for any other services where you are using the same password.”

Earlier this para read: “The hashed password cannot be converted/decrypted back to plain text – so the sanctity of your password is intact in case you use the same password for other services. But if you are paranoid about security like us, we encourage you to change your password for any other services where you are using the same password.”

In an email exchange with FactorDaily, Hunt said he will be making this breach searchable on his service, HaveIbeenpwned, if he sees the dump in data breach trading circles. The website allows a user to check if an email has been compromised in a data breach.

“The way hashes are broken is they’re ‘cracked’, which usually means taking a whole bunch of possible passwords and then computing them with the same hashing algorithm and comparing them to the ones taken from a system,” said Hunt. Depending on how fast the hashing algorithm is (slow ones are better because it means hashes take longer to crack), and also depending on the strength of the passwords people used, it can be trivial, he added.

“Weak hashing algorithms can be calculated at tens of billions of times per second on consumer hardware, which means it’s easy to make a lot of guesses as to what a password may be. Zomato have actually just revised their statement following my tweet to give more accurate advice and also refer to ‘iterative hashing’, which means using many calculations to slow it down. They don’t provide any more detail (which algorithm, how many hashes), but certainly as a matter of caution you should always advise people to change their password anyway.”

Others, such as CIS Policy Director Pranesh Prakash, had also asked what method Zomato had used to hash its passwords.

According to the seller, ‘nclay’, the hashing algorithm used to secure the passwords at Zomato is MD5. Initially designed to be a cryptographic hashing function, MD5 (Message Digest algorithm 5) is known to be vulnerable to brute force attacks.

Initially designed to be a cryptographic hashing function, MD5 (Message Digest algorithm 5) is known to be vulnerable to brute force attacks.

Zomato hasn’t responded to FactorDaily’s queries on whether phone numbers were a part of the breach.

The food-tech company has been running a bug bounty program on Hackerone, though it doesn’t provide any payouts to hackers for disclosing vulnerabilities. The foodtech unicorn has a score of 50 on Fallible’s Product Security Index, where it ranks 50th, among the 68 startups listed there.

Meanwhile, we have found a link to the listing of the breached data on Hansa market, a dark web market (withheld for privacy reasons).

UPDATE ENDS

Food-tech company Zomato’s user database has been hacked, with over 17 million user records being stolen, according to a blog post by the company published today. However, payment information is secure as it is stores on a different server, said Zomato, the online restaurant review and food delivery company with a presence in 23 countries.

“The stolen information has user email addresses and hashed passwords. The hashed password cannot be converted/decrypted back to plain text — so the sanctity of your password is intact in case you use the same password for other services,” Zomato said in the blogpost.

The company also mentioned that no payment information or credit card data has been stolen/leaked as they were stored separately in a PCI Data Security Standard (DSS) compliant vault.

Zomato has said that the breach was a result of an internal security breach.

“So far, it looks like an internal (human) security breach — some employee’s development account got compromised,” the post said.

The stolen data is now available for sale in the Dark Web according to security blog Hackread.

“The database includes emails and password hashes of registered Zomato users while the price set for the whole package is USD 1,001.43 (BTC 0.5587),” according to Hackread.

Zomato seems to have been alerted of the data breach after the data became available on the Dark Web.

This breach follows a series of attacks by ransomware called WannaCry across India over the past week, which included installations in Hyderabad, Chennai, Kolkata and Pune.

This is a developing story and will be updated as and when we have more information.