Zomato seems to have got away with the security hassle it faced recently. In a blog post made less than a day ago, Zomato said that it made contact with hacker “nclay”, who in turn agreed to remove the Dark Web listing selling the Zomato database records. “Earlier today, our security team discovered that user emails and hashed passwords were stolen from our database. Since then, we have taken multiple steps to mitigate the situation. One of these steps was to open a line of communication with the hacker who had put the user data up for sale,” wrote Zomato.
According to the company, the hacker demanded that Zomato work with the ethical hacker community to “plug the gaps” in its security, and also acknowledge the holes. In addition, one of the hacker’s key demands was apparently that Zomato start a “healthy bug bounty” program, which the company says it is doing on Hackerone soon.
The listing on Hansa (the Dark Web marketplace where the data was being sold) has since disappeared. So it seems the hacker is keeping true to his/her word. Zomato is still recommending caution. “Having said that, we are going to be cautious and paranoid, as this is a sensitive matter. 6.6 million users had password hashes in the ‘leaked’ data, which can be theoretically decrypted using brute force algorithms,” the company wrote. The post also says that Zomato will be reaching out to these users to have them update their passwords on all their accounts.