wordpress blog stats
Connect with us

Hi, what are you looking for?

17 million user records stolen from Zomato database

By Apurva Venkat & Salman SH

Zomato has confirmed that its database was compromised by hackers. In a blog post on Thursday, Zomato mentioned that its security team discovered a breach in its system wherein encrypted passwords and raw usernames/emails belonging to 17 million users were stolen by unidentified hackers. The company, however, claims that payment related data or credit card details have not been stolen or leaked since it is stored in an encrypted format. Note that Zomato says that “We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text.”

To fix the breach, Zomato has reset passwords and logged out the affected users from the app and the website, and that even though the encrypted passwords cannot be decrypted, it had advised users to reset their passwords.

“So far, it looks like an internal (human) security breach – some employee’s development account got compromised. A layer of authorisation will be added for internal teams having access to this data to avoid the possibility of any human breach,” Zomato added.  The company said that it will be rolling specialised updates for “enhancing security measures for all user information stored within our database”, but did not provide a timeline.

Note that this isn’t the first time that Zomato has come across security issues in its system. In 2015,  Zomato was hacked by an Indian ethical hacker named Anand Prakash, who not only discovered a critical security flaw in Zomato’s system but also pointed bug which could expose a Zomato user’s Instagram images. Zomato, however, fixed the issue after Prakash forwarded the vulnerability report to the company.

No protection for users without a privacy law

Advertisement. Scroll to continue reading.

Apart from Zomato, several Indian startups companies and government agencies have reported incidents of user data leakage in the past including Ola, McDonalds India, CloudFlare’s data breach affecting Indian sites, and even private clinical labs leaking patient data.  In the case of the Mumbai lab attack in last December, the lab’s management in question, simply decided to ignore the leak stating that “we are not planning to do anything about this.” This can be fixed with a strong privacy law:
i) Companies could be held accountable for negligence;
ii) The government can even fix standard encryption protocol for storing sensitive data;
iii)The law could also specify courses of action in case a company’s database is compromised.

Reports of Zomato data being sold online

According to a report by HackRead, a vendor going by the online handle of “nclay” is claiming to have hacked Zomato and selling the data of its 17 million registered users on a popular Dark Web marketplace. The database includes emails and password hashes of registered Zomato users while the price set for the whole package is USD 1,001.43 (BTC 0.5587). The vendor also shared a trove of sample data to prove that the data is legit, the publication added. Note that this information could not be verified by MediaNama.

Zomato Financials

Zomato reported revenues of $49 million for the financial year ended 31st March 2017 (FY17), a growth of 80% over FY16.  For the year FY17, food ordering accounted for $9 million in revenues, around 8 times of FY16. Meanwhile, ad sales accounted for $38 million in revenues in FY17, 58% higher than FY16.

Advertisement. Scroll to continue reading.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



By Rahul Rai and Shruti Aji Murali A little less than a year since their release, the Consumer Protection (E-commerce) Rules, 2020 is being amended....


By Anand Venkatanarayanan                         There has been enough commentary about the Indian IT...


By Rahul Rai and Shruti Aji Murali The Indian antitrust regulator, the Competition Commission of India (CCI) has a little more than a decade...


By Stella Joseph, Prakhil Mishra, and Surabhi Prabhudesai The recent difference of opinions between the Government and Twitter brings to fore the increasing scrutiny...


This article is being posted here courtesy of The Wire, where it was originally published on June 17.  By Saksham Singh The St Petersburg paradox,...

You May Also Like


The report’s findings show that the modus operandi of the group was to send high-profile government targets emails that contained malicious payloads designed to...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ