wordpress blog stats
Connect with us

Hi, what are you looking for?

Zomato says it fixed data breach; loopholes in its encryption methods

Zomato announced in a blog post today that it had contacted the unidentified hacker from yesterday’s data breach. The breach had led to details of 7.7 million users being stolen. The leaked information, listed for sale on a Darknet market (hansamkt2rr6nfg3.onion/listing/93556), was taken down by the hacker after Zomato requested them to do so, the company added.

The food delivery company is also introducing a new bug bounty program for ethical hackers after the hacker apparently advised the company to do so. “The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and…plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers. We are introducing a bug bounty program on Hackerone very soon,” the company said in the post.

However, several security researchers who claimed to have analyzed the leaked have raised their doubts on Twitter. Zomato was apparently using an outdated encryption standard (MD5) for encrypting passwords, a researcher, Sajal Thomas, claimed. This HackRead report, which claims to have reviewed a sample of the leaked data, points out that the usernames leaked on the Darknet portal were genuine. MediaNama was not able to independently verify this.

Loopholes Zomato’s password encryption method

The MD5 algorithm, used for encrypting passwords by Zomato was deemed as an “insecure cryptographic storage” method by The Open Web Application Security Project (OWASP) back in 2007. This put users at risk since the encrypted passwords stored on Zomato’s database can be converted into readable formats easily. Thomas, the researcher, claimed on Twitter that he was able to decrypt the Zomato data taken from the Darknet market in “seconds”.

Advertisement. Scroll to continue reading.

Zomato said on its blog that data points including emails, user IDs, names, usernames, email addresses, and password hashes with ‘salt’ were exposed in the data breach. “Your payment information is absolutely safe, and there’s no need to panic,” the company said.

But there is a possibility of decrypting the hashed (encrypted) passwords, placing bank/card details at risk. Here is how:

Zomato said in its earlier blog that it’s applied an “individual salt per password” before encrypting it. A salt is a random 64-bit value which is combined with a password to add an extra layer of security.

Eg. password: “Qwerty123”.
Random Salt Value: 84B03D034B409D4E
Password + Hash value: Qwerty123+84B03D034B409D4E (before encryption)
Final encrypted password stored on Zomato database (with MD5 hashing): bc03e833386720a479f69562156b541cbc03e833386720a479f69562156b541c

Advertisement. Scroll to continue reading.

The above cryptographic method is required to help reduce the effectiveness of a brute-force attack or dictionary attack — a password cracking method which matches every bit of the password with a random alphabet/character/number until the entire text of the password is matched.

It is unclear whether the salt value for each of the password (kept in clear text) was stored on the same server as the passwords or with the same access controls. If this is the case, then there is a possibility that a hacker can gain access to the salt value, allowing them to easily decrypt the hash and get the password. MediaNama has written to Zomato to confirm whether it used the outdated MD5 algorithm, and whether it stored salt values on the same server as the passwords. We are yet to hear back from them.

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



When news that Walmart would soon accept cryptocurrency turned out to be fake, it also became a teachable moment.


The DSCI's guidelines are patient-centric and act as a data privacy roadmap for healthcare service providers.


In this excerpt from the book, the authors focus on personal data and autocracies. One in particular – Russia.  Autocracies always prioritize information control...


By Jai Vipra, Senior Resident Fellow at Vidhi Centre for Legal Policy The use of new technology, including facial recognition technology (FRT) by police...


By Stella Joseph, Prakhil Mishra, and Yash Desai The Government of India circulated proposed amendments to the Consumer Protection (E-Commerce) Rules, 2020 (“E-Commerce Rules”) which...

You May Also Like


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ