The last few days have been super busy for the cyber security industry ranging from the WannaCrypt attack to ATMs being hacked and now the Zomato Hack. Yesterday, Zomato announced on their official blog that they've been hacked and 17 million user accounts have been compromised.
Zomato has around 120 million users visiting every month, and this is not the first time they've been hacked. A couple of years ago 62.5 million user data points at Zomato were compromised. According to HackerRead, a hacker that goes by the name "nclay" hacked into Zomato's database and stole user details of 17 million accounts. These were also available for sales on the Dark Web. The whole list was up for sale for about 0.5521 BTC, that's currency in Bitcoins which translates to around $1000. Here’s a screenshot of the sample data publicly shared by “nclay.”
A sample data was also shared which seemed accurate.
According to the company's official statement, most users use a third-party login method like Facebook or Google login for which Zomato doesn't save any passwords. They also use a one-way hashing algorithm to store passwords in a hashed format. Theoretically, these can be recovered using brute-force. Zomato acknowledged this possibility and has reset the accounts of all the users who have been affected by this hack. Also, all users were immediately logged out of their accounts across all devices.
They also added that no payment information or credit card information was stolen or leaked.
How the Zomato Hack Happened?
According to Zomato officials, the hacker managed to get access to one of their developer’s credentials from an old web hosting service leak in October 2015. The same credentials were used by the hacker to login to the developer’s Github account and surprisingly, it worked also.
It was from the developer’s Github account that the hacker was able to get a piece of code which further assisted him in the breach. However, only having access to that code didn’t mean that the hacker had access to Zomato’s databases as they can be accessed only via a specific set of IP addresses.
But, the hacker managed to exploit some vulnerabilities in the code and got access to the database anyhow. Officials accepted that the code hadn’t been updated for a long time. The hacker had successfully carried out the breach last year but it was only now that he decided to highlight it.
The Latest Update on the Zomato Hack
The latest update is that Zomato was successful in having an open dialogue with the hacker. Apparently, the hacker's demand was to get the company to run a healthy bug bounty program. Please note Zomato already had a bug bounty program before wherein hackers who report bugs are mentioned on their Hall of Fame and receive some appreciation. Most companies in the US and other geographies run a more organized bounty program where people who report the issues are not only given recognition but an impressive amount of remuneration as well.
Zomato has announced that they will be launching a new bug bounty program soon.
Also, the database listed on the Dark Web marketplace has been taken off.
Here's Why the Zomato Hack is a Good Thing
- The first thing is that I, and everyone at my team here in Appknox, appreciates the way Zomato handled this. I think it takes a lot of courage to publicly announce and accept something like this. They've taken ownership and resolved this issue in less than 24 hours.
- Zomato constantly kept running updates on their blog and social media to keep users informed on what is happening.
- Zomato's reaction response to the hack was something we appreciate as well. They immediately reset the passwords of all the compromised accounts and logged out all users who might have been affected by this.
- Simultaneously, they engaged with the hacker to understand the intentions behind the hack.
- They've acknowledged the fact that they can run a better bug bounty program and have started working on it.
- The hacker has shared the details of the exploit which Zomato will be sharing in a few days so that others can learn from their mistakes.
I think this is a great thing in the Indian tech and startup community. I was in Mumbai a few months ago at the Barclay's Rise Accelerator and speaking with the Barclay's Global CIO. He mentioned on how all the major banks were always constantly under attack from hackers around the world. They've formed a consortium of five banks to immediately share data about hacks so that others can be safe.
The point I want to emphasize here is that security is something that always keeps changing. It's a cat and mouse chase, and sometimes the hackers win. The key thing is to be open and discuss it so that the community can learn and adapt. It is kind of like how you perceive a major car manufacturer when they call back units because they've identified a defect that can cause problems to the consumer. Many people see this as a bad thing or identify it in a negative way. I think it's a great thing because at least they are proactively identifying issues and fixing them. The same analogy applies here. Accepting and acknowledging something like this takes a lot of courage and sharing your mistakes with the community is an even bigger thing to do.
We hope someday all the businesses in our ecosystem adopt this attitude so that others can learn and create a good safety net as well as draft a good action response plan.