How One Developer’s Carelessness, And A Hack Of A Completely Unrelated Website Led To The Zomato Hack

A butterfly flaps its wings somewhere in the universe, and two years later, 17 million Zomato passwords and emails are stolen.

On 28th October 2015, the developers at 000webhost, a free hosting provider, discovered that something was amiss. Hackers had managed to use a PHP exploit to gain access to their database, and steal the email addresses and passwords of their 13 million users. 000webhost’s team immediately sprung into action, they reset everyone’s passwords. By 1st November 2015, they had managed to restore the access of their members and also enhanced their security; by 12th November, they were even accepting new signups.

All seemed to be well, except that one its users happened to be an employee of an India-based unicorn.

zomato-logo

 

A Zomato developer had a personal account on 000webhost. 000webhost’s leaked emails and passwords had spread quickly on the internet, having been freely available on several public sources since 1st November 2015. They were stored in plain text, and visible to all. As luck would have it, the Zomato developer had used the same email and password on their Github profile.

It wouldn’t have been hard for hackers to try out several email and password combinations on Github, which is a repository for writing and storing code. They would’ve happened to stumble across the Zomato developer’s profile, and marveled at their discovery — the developer had access to the code of a billion-dollar company, which they were able to read and analyze.

Simply reading the code wouldn’t have helped them gain entry into Zomato’s systems – Zomato says that they only users with certain IP addresses were allowed to access their databases. But the hackers found a way around it — they managed to find a vulnerability in the code, using which they were able to access Zomato’s database remotely. For unknown reasons, says Zomato, they didn’t immediately act on their discovery. For over a year, they sat with the knowledge that they could hack into Zomato’s systems when they pleased.

And this month, they struck. 17 million Zomato emails and passwords were stolen overnight, and put up on the Dark Web for sale for a mere $1001 (Rs. 65,000). Zomato calls the sequence of events “extraordinarily bad luck”. Had the Zomato developer (who Zomato says will remain anonymous) not used the same password across different services in 2015, hackers would’ve never been able to access the Zomato code. Zomato wasn’t blameless either — they didn’t have two factor authentication enabled on Github in 2015 like they do now. Had they enforced a two-factor authentication, even with the developer’s email and password, the hackers wouldn’t have been able to access their code.

For their part, Zomato now appears to have contained the hack. The hacker reportedly told them that they’d leaked the passwords to get Zomato to institute a bug bounty program to reward ethical hackers; Zomato has acceded to their demands. Zomato says it’s also enhanced its security to make sure such a situation doesn’t happen again. But the entire incident underscores how connected the internet is, and how tricky internet security can be  — a hack of web hosting company located millions of miles away can, two years later, can expose the usernames and passwords of of the users of an India-based startup unicorn.