The chief technologist at Zomato says the hacker responsible for breaching his company's database agreed to destroy all copies of the stolen data and remove it from the dark web, but only after the restaurant review service agreed to start a bug bounty program.
"The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers," wrote Gunjan Patidar in a blog post on Thursday.
The hacker, who goes by the handle "nclay," was discovered selling approximately 17 million Zomato user records, which included user IDs, names, usernames, email addresses and hashed passwords. The company reset the passwords for all affected users and logged them out of both its app and website.
HackerOne will run the vulnerability disclosure program, wrote Patidar, noting that the hacker has already removed the link to the dark web marketplace that was selling the data. Patidar did not mention any kind of monetary compensation or ransom payment going to the hacker, who according to Zomato will provide details into how he breached the company.