Breach, Threat Management, Data Security

Zomato breach leaves bad taste in mouth of 17 million users


Zomato, an online restaurant search and review service, has notified its customers of a data breach, after a dark web vendor was discovered selling data belonging to millions of the company's users. 

How many victims? Approximately 17 million user records were stolen from the company's database.

What type of information? The hacker stole user IDs, names, usernames, email addresses and hashed passwords.

Payment information, which is stored in a separate, secure PCI Data Security Standard (DSS) compliant vault, was not affected, according to Zomato, which is headquartered in India. Zomato users who log in via third party OAuth services such as Google and Facebook are not at risk from this breach, the company also noted.

What happened? Details from Zomato are scant, but the company claims in a corporate blog post that the incident "looks like an internal (human) security breach," after an employee's development account was compromised.

Prior to Zomato's blog post, HackRead reported that a dark web vendor with the online handle "nclay" was selling Zomato user data on a cybercrime marketplace for approximately $1,000 in bitcoins.

What was the response? Zomato reported that it reset the passwords for all affected users and logged them out of both its app and website. The company says it is actively searching and plugging any potential breach vectors, and plans to further enhance the security of user information, as well as require internal teams that have access to user data to go through authorization.

The company is also advising affected users who log into other web services with the same stolen Zomato passwords to change passwords for those services as well.

Source: Zomato and HackRead.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.