A hack has put data of 17 million Zomato users at risk: Should India be worried?

Share this…

It’s sad, but someone, somewhere on the Dark Web will now be privy to all your eating habits, or at least the one that Zomato knows about.

For the uninitiated, Zomato is an Indian food start-up that started in 2008. The search engine for food, restaurant and online delivery portal, that’s now has an app as well, has almost 12 million customers every month. Zomato is not only a popular guide to eateries across India, but in 22 other countries as well. For millennials, Zomato is almost as essential as the Yellow pages were back in the day.

But, coming back to the topic, Zomato has now been hacked and the data of close to 17 million users have been stolen, and put out on sale on the Dark Web. First reported by HackRead late on Wednesday night (May 17), the report suggested that an online handle “nclay” claimed to have hacked Zomato and was selling the stolen data (of 17 million registered users) on a Dark Web marketplace.

Wait. What is the Dark Web?

The Surface Web is anything that a search engine can find, while the Deep Web is anything that a search engine can’t find. The Dark Web is a small portion of the Deep Web that has been intentionally hidden and is inaccessible through standard web browsers.

The most famous content that resides on the Dark Web is found in the TOR (The Onion Router) network. The TOR network is an anonymous network that can only be accessed with a special web browser, called the TOR browser. This is the portion of the Internet most widely known for illicit activities because of the anonymity associated with the TOR network.

Back to Zomato

The database includes emails and “hashed” password of registered Zomato users, and is being sold for 0.5587 Bitcoin (almost Rs 65,000). The vendor “nclay” also provided a sample of the data to prove his claim.

On May 18, Zomato’s CTO Gunjan Patidar published a blog post acknowledging the hack. Trying to avoid panic and setting facts straight, Patidar says, “The hashed password cannot be converted back to plain text — so the sanctity of your password is intact in case you use the same password for other services.”

zomato_051817125331.jpgPhoto: DailyO

But he also cautioned users to change their passwords in any case and to change the passwords for other services, just in case they happen to be the same. This is so because, while they are difficult to crack, it is never prudent to assume complete faith in the abilities of hackers.

This is kind of why everyone should have different (and complex) passwords for different accounts and everyone should use a password manager to keep track of stuff. Seriously, it’s not that difficult a thing to do.

More importantly, and to the relief of millions of customers, Zomato has assured that payment related information on the site — which is stored separately in a highly secure PCI Data Security Standard (DSS) compliant vault — has not been leaked. So, your bank details and credit card details on Zomato are safe. Whew!

Continuing with the assurances, Patidar said, “Over the next couple of days and weeks, we’ll be actively working to plug any more security gaps that we find in our systems. We’ll be further enhancing security measures for all user information stored within our database, [and] a layer of authorisation will be added for internal teams having access to this data to avoid the possibility of any human breach.”

Of course, despite the assurances from the company, it is a little difficult to maintain calm. In a company that’s as huge as Zomato, a hack of this size is pretty worrisome. In fact, this is not the first time something like this has happened to the food start-up. In 2015, an ethical hacker, Anand Prakash — who has also helped discover security bugs on Facebook and Uber — managed to breach Zomato’s database and managed to highlight a critical flaw in its data recall system. The white hat hacker later reported the details of the security flaws to Zomato.

We should be concerned

Hacks and cyber attacks, in an age when we are becoming increasingly more dependent on the internet, is a big problem. While it is, without a doubt, a company’s responsibility to safeguard user data, the users themselves cannot simply wash their hands off any responsibility. The fact is, your data is only as safe as you choose for it to be.

In an increasingly more data-vulnerable world, it is always prudent to keep your passwords different, complex and keep changing them periodically. It is also up to you, as a consumer to choose security over convenience. Yes, it is easy to save information related to your banking/debit card or credit card details on vendor websites/apps. It saves you the pain of having to input it every time you use the given service. But isn’t security a bigger worry than having to type in a 16-digit number?

The Zomato breach may not have been a harmful one — or so it seems as of now — but this is neither the first major hack we have witnessed in this country in the last few months, nor is this going to be the last. Both companies and users really need to get their security priorities in place.