As many as 17 million Zomato accounts have been breached, and the data put up for sale on a dark web forum. The hack, first reported by HackRead.com, has been admitted by Zomato, and the company has put up a blog post about the same. In its post, Zomato claims that usernames and passwords were stolen, although the passwords are hashed, meaning they are encrypted into a gibberish form, that has to be cracked separately. Zomato says it uses a “one-way hashing algorithm” for this.
We found the marketplace, called Hansa, where the hacker, going by “nclay” is selling the data for 0.5587 bitcoins (equivalent to about Rs. 70,000). The listing comes with a sort of sample list of usernames and hashed passwords, from amongst the 17 million. Like Hackeread, we tried verifying some of these through Zomato’s forgot password mechanism, and they all checked out.
Sample list from Hansa listing. Email ids and parts of the hashed passwords have been smudged for security.
Perhaps more important is the level of encryption mentioned in the listing. According to the listing, Zomato passwords are hashed using an MD5 algorithm, which is the lowest form of encryption, confirmed security experts we spoke to. “We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text. We however, strongly advise you to change your password for any other services where you are using the same password,” says the blog post by Zomato. We have written to Zomato to confirm whether MD5 encryption is indeed used for hashing passwords.
Security expert and CEO, Lucideus Tech, Saket Modi, mentioned that instances of hashed passwords being cracked have been seen before. Modi talked about the LinkedIn hack, where passwords were hashed using SHA1 (higher encryption than md5), but were still cracked. According to Modi, the LinkedIn hack could be what led the hackers to Mark Zuckerberg’s Twitter and Pinterest accounts, since the founder of Facebook apparently used the same passwords for all these accounts.
Zomato’s blog post does, however mention that the hacker(s) didn’t get to any payment information or credit card data. “Payment related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault. No payment information or credit card data has been stolen/leaked,” says the post.
Also, users logging in using Facebook or Google should also be safe from the hack, since Zomato actually doesn’t have passwords for them in this case. While it’s unclear how much of these users’ data is accessible, your Facebook and Google passwords are stored on the respective companies’ servers, and not Zomato’s.