wordpress blog stats
Connect with us

Hi, what are you looking for?

17 million user records stolen from Zomato database

By Apurva Venkat & Salman SH

Zomato has confirmed that its database was compromised by hackers. In a blog post on Thursday, Zomato mentioned that its security team discovered a breach in its system wherein encrypted passwords and raw usernames/emails belonging to 17 million users were stolen by unidentified hackers. The company, however, claims that payment related data or credit card details have not been stolen or leaked since it is stored in an encrypted format. Note that Zomato says that “We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text.”

To fix the breach, Zomato has reset passwords and logged out the affected users from the app and the website, and that even though the encrypted passwords cannot be decrypted, it had advised users to reset their passwords.

“So far, it looks like an internal (human) security breach – some employee’s development account got compromised. A layer of authorisation will be added for internal teams having access to this data to avoid the possibility of any human breach,” Zomato added.  The company said that it will be rolling specialised updates for “enhancing security measures for all user information stored within our database”, but did not provide a timeline.

Note that this isn’t the first time that Zomato has come across security issues in its system. In 2015,  Zomato was hacked by an Indian ethical hacker named Anand Prakash, who not only discovered a critical security flaw in Zomato’s system but also pointed bug which could expose a Zomato user’s Instagram images. Zomato, however, fixed the issue after Prakash forwarded the vulnerability report to the company.

Advertisement. Scroll to continue reading.

No protection for users without a privacy law

Apart from Zomato, several Indian startups companies and government agencies have reported incidents of user data leakage in the past including Ola, McDonalds India, CloudFlare’s data breach affecting Indian sites, and even private clinical labs leaking patient data.  In the case of the Mumbai lab attack in last December, the lab’s management in question, simply decided to ignore the leak stating that “we are not planning to do anything about this.” This can be fixed with a strong privacy law:
i) Companies could be held accountable for negligence;
ii) The government can even fix standard encryption protocol for storing sensitive data;
iii)The law could also specify courses of action in case a company’s database is compromised.

Reports of Zomato data being sold online

According to a report by HackRead, a vendor going by the online handle of “nclay” is claiming to have hacked Zomato and selling the data of its 17 million registered users on a popular Dark Web marketplace. The database includes emails and password hashes of registered Zomato users while the price set for the whole package is USD 1,001.43 (BTC 0.5587). The vendor also shared a trove of sample data to prove that the data is legit, the publication added. Note that this information could not be verified by MediaNama.

Zomato Financials

Zomato reported revenues of $49 million for the financial year ended 31st March 2017 (FY17), a growth of 80% over FY16.  For the year FY17, food ordering accounted for $9 million in revenues, around 8 times of FY16. Meanwhile, ad sales accounted for $38 million in revenues in FY17, 58% higher than FY16.

Advertisement. Scroll to continue reading.

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



India and US come to terms on how to deal with the equalisation levy in light of the impending Global Tax Deal.


Find out how people’s health data is understood to have value and who can benefit from that value.


The US and other countries' retreat from a laissez-faire approach to regulating markets presents India with a rare opportunity.


When news that Walmart would soon accept cryptocurrency turned out to be fake, it also became a teachable moment.


The DSCI's guidelines are patient-centric and act as a data privacy roadmap for healthcare service providers.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ