Restaurant search services, Zomato has revealed that it has engaged with the hacker responsible and has agreed to meet certain conditions in exchange for the stolen data being removed from the dark web less than 24 hours after revealing a major security breach that compromised the accounts of millions of users. Zomato claims around 120 million users each month that around 17 million email addresses and hashed passwords had been stolen.
But we later clarified that 60 percent of those accounts actually used third-party OAuth services such as Facebook and Google to log in. But that still left around 7 million users vulnerable, particularly if they used the same email/password combination on other services.
Zomato had sought to assure the affected users that their passwords could not easily be decrypted, it seems that was not necessarily the case, with some security experts claiming they were able to decrypt some passwords relatively quickly and others pouring scorn on Zomato’s cryptographic efforts. The party claiming responsibility for the hack told Motherboard that they had found the vulnerability in Zomato’s infrastructure around a year ago and that after reporting it to the company had heard nothing back.
The hackers went medieval on Zomato by posting the data for sale on the dark web, which led Zomato to “open a line of communication” with the hacker, who it turns out was “very cooperative.”
“We are introducing a bug bounty program on Hackerone very soon,” continued Patidar. “With that assurance, the hacker has, in turn, agreed to destroy all copies of the stolen data and take the data off the dark web marketplace. The marketplace link which was being used to sell the data on the dark web is no longer available.”
Read the full story on venturebeat.com | Zomato agrees to hacker’s demand — will launch bug bounty program in exchange for stolen data deletion