Zomato announced in a blog post today that it had contacted the unidentified hacker from yesterday’s data breach. The breach had led to details of 7.7 million users being stolen. The leaked information, listed for sale on a Darknet market (hansamkt2rr6nfg3.onion/listing/93556), was taken down by the hacker after Zomato requested them to do so, the company added. The food delivery company is also introducing a new bug bounty program for ethical hackers after the hacker apparently advised the company to do so. “The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and…plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers. We are introducing a bug bounty program on Hackerone very soon,” the company said in the post. However, several security researchers who claimed to have analyzed the leaked have raised their doubts on Twitter. Zomato was apparently using an outdated encryption standard (MD5) for encrypting passwords, a researcher, Sajal Thomas, claimed. This HackRead report, which claims to have reviewed a sample of the leaked data, points out that the usernames leaked on the Darknet portal were genuine. MediaNama was not able to independently verify this. Loopholes Zomato’s password encryption method The MD5 algorithm, used for encrypting passwords by Zomato was deemed as an “insecure cryptographic storage” method by The Open Web Application Security Project (OWASP) back in 2007. This put users at risk since the encrypted passwords stored on Zomato’s database can be converted into readable formats…
