It turns out that Zomato’s hack today — which exposed 17 million of its users’ emails and passwords — was only meant to give the company a wake up call.
Zomato has now announced that they’re now in touch with the hacker, who went by the name of “nclay”. “The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers,” said a company blogpost. The hacker had earlier put up 17 million Zomato emails and passwords for sale on the Dark Web for a mere $1001 (Rs. 65,000).
The hacker wasn’t always cooperating with the company. Earlier in the day, he’d reportedly posted angry messages along with his job listing. “The reason of their hack is because they’re ungrateful, having a bug bounty program and end up with a rooted server. I’m hardly remorseful, researchers help them and you ignore them, well done for you.”
The hacker was reportedly unhappy with Zomato’s bug bounty program. Most major companies run such programs, in which they reward individuals who inform them of vulnerabilities in their systems. These rewards can be quite generous — a Flipkart employee had been paid Rs. 10 lakh for pointing out a flaw in Facebook’s security. Uber had later rewarded the same hacker with Rs. 3 lakh for discovering a hack through which he was able to book rides for free.
Zomato apparently had a bug bounty program, but until now didn’t provide monetary rewards for hackers who discovered bugs. “We do not currently have a monetary bug bounty programme, but any report that results in a change will at minimum receive Hall of Fame recognition. We would also be more than happy to provide a certificate of acknowledgement,” said Zomato’s entry at HackerOne, which was posted in February 2016.
nclay’s efforts seem to have changed all that — Zomato has said it’ll begin providing monetary rewards to hackers who point out bugs in its systems. “We are introducing a bug bounty program on Hackerone very soon,” its blogpost said. This seems to have satisfied nclay, who has taken down the link to the stolen data from the marketplace, and agreed to destroy all of its copies. nclay has also given Zomato all details around how they got access to their database. Zomato has said that it’ll soon share details on its blog so that other companies can learn from its mistakes.
So it looks like all’s well that ends well — apart from the fact that Zomato’s data was publicly available for sale for nearly half a day It’s hard to tell if copies were bought during that period, but Zomato seems to have acted quickly and got the listing taken. nclay also seems to have got what he wanted — going forward, other hackers can hope to be rewarded by Zomato if they discover flaws in its code. While one can’t condone hacking of any sort, but catching a billion dollar company with its pants down, and then proceeding to get them to change their policies, does seem pretty badass.