In a major cyber attack on food ordering app Zomato, 1.7 crore user records were stolen from the company's database. The stolen database includes user email addresses and hashed passwords.
What Zomato says
The company in its blog post on Thursday gave the following assurances:
- The stolen information can’t be misused since the company has reset the passwords for all affected user
- The stolen password cannot be converted/decrypted back to plain text
- It also assured that no payment information or credit card data has been stolen/leaked.
- It has recommended users to change passwords in case they’re using the same for other accounts as well.
Here is what Zomato wrote:
The hashed password cannot be converted/decrypted back to plain text - so the sanctity of your password is intact in case you use the same password for other services. But if you are paranoid about security like us, we encourage you to change your password for any other services where you are using the same password.
Important note - payment related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault. No payment information or credit card data has been stolen/leaked.
As a precaution, we have reset the passwords for all affected users and logged them out of the app and website. Our team is actively scanning all possible breach vectors and closing any gaps in our environment. So far, it looks like an internal (human) security breach - some employee’s development account got compromised.
How can this stolen information be misused?
Since we have reset the passwords for all affected users and logged them out of the app and website, your zomato account is secure. Your credit card information on Zomato is fully secure, so there’s nothing to worry about there.
This is not the first instance where Zomato had to face a cyber attack as in 2015, ethical hacker Anand Prakash hacked 6.2 crore accounts of Zomato in order to expose the company's flaw. Prakash later informed Zomato after which its technical team fixed the bug in an hour's time, reports vcc circle.