Zomato Resets Passwords And Logs Out Users After 17 Million Records Stolen From Website

Zomato has become the latest startup to be hit by a security breach.

The company has said that it’s just discovered that 17 million user records were stolen from its database. These stolen records included usernames and hashed passwords of Zomato customers. Zomato however says that no payments data, including stored credit card information, was compromised.


Given the breach, the company has reset the passwords of the affected users, and logged them out of the website and the app. It’s additionally encouraged all its users to change their Zomato account passwords. It’s unlikely the stolen passwords will be available to the hackers — hashed passwords are stored in an encrypted format, and can’t be converted back to plain text — but the email addresses of Zomato’s users certainly will be. 17 million email addresses of Zomato’s users can be extremely valuable, either to email marketers or a competitor, and Zomato says that its users can expect to receive some spam emails going forward.

Update: It appears the hacked data was available for sale on the Dark Web before Zomato had announced its breach. Nearly 13 hours ago, HackRead had reported that a cache of 17 million Zomato accounts was available on a popular Dark Web marketplace. A user by the name of nclay had been selling the entire cache for $1001 (Rs. 65,000). HackRead tested the data, and it indeed contained emails that were registered with Zomato.



Zomato says it’s unsure of how the breach happened, but the evidence points to human intervention. “Our team is actively scanning all possible breach vectors and closing any gaps in our environment. So far, it looks like an internal (human) security breach – some employee’s development account got compromised,” says a blogpost by Zomato’s CTO Gunjan Patidar. The company says it’ll be further enhancing security measures for all user information stored within their database, and will add a layer of authorisation for internal teams having access to this data.

Zomato’s had some issues with its tech in the past — just last month, the company had sent out notifications to thousands of users about orders they’d never made, leading to much confusion. Indian startups have been hit by hacks before — in 2015, someone had exploited a flaw in Ola’s architecture to get themselves free recharges. In 2014, Naukri.com had asked its users to reset passwords after user data had been stolen.

Zomato, to its credit, has come out and declared its security breach, and proactively asked users to take action. These are tough times for internet security — hackers are becoming increasingly sophisticated, like the latest WannaCry attacks showed, even the smallest vulnerabilities can be exploited to have worldwide consequences. What users can do to keep themselves protected is use different passwords for different sites, and only give their details to trusted sources. And ultimately hope that the people manning their favourite websites are careful with their data.