Zomato, an online restaurant search and review service, has notified its customers of a data breach, after a dark web vendor was discovered selling data belonging to millions of the company's users.
How many victims? Approximately 17 million user records were stolen from the company's database.
What type of information? The hacker stole user IDs, names, usernames, email addresses and hashed passwords.
Payment information, which is stored in a separate, secure PCI Data Security Standard (DSS) compliant vault, was not affected, according to Zomato, which is headquartered in India. Zomato users who log in via third party OAuth services such as Google and Facebook are not at risk from this breach, the company also noted.
What happened? Details from Zomato are scant, but the company claims in a corporate blog post that the incident "looks like an internal (human) security breach," after an employee's development account was compromised.
Prior to Zomato's blog post, HackRead reported that a dark web vendor with the online handle "nclay" was selling Zomato user data on a cybercrime marketplace for approximately $1,000 in bitcoins.
What was the response? Zomato reported that it reset the passwords for all affected users and logged them out of both its app and website. The company says it is actively searching and plugging any potential breach vectors, and plans to further enhance the security of user information, as well as require internal teams that have access to user data to go through authorization.
The company is also advising affected users who log into other web services with the same stolen Zomato passwords to change passwords for those services as well.