Moneycontrol News

India's largest online restaurant guide Zomato has suffered a security breach with over 17 million accounts of users now being sold on the dark web, as per a report in a security blog called Hackread.

"The database includes emails and password hashes of registered Zomato users while the price set for the whole package is USD 1,001.43 (BTC 0.5587). The vendor also shared a trove of sample data to prove that the data is legit," says a post by Hackread. BTC stands for Bitcoins here.

According to Indian IT experts, Zomato is liable to pay a compensation in kind or cash to its users as the data contained personally identifiable information. "Each user account had associated with it a phone number, address, and an email id. The hack, if proven, can be a failure to protect personal data by Zomato making it liable under Section 43A of Indian IT Act, to pay compensation to its users," says Prashant Mali, International Cyber Law and Cyber Security Expert.

The Section 43A of Indian IT Act states that when a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices, such a body corporate shall be liable to pay damages by way of compensation, not exceeding Rs 5 crore to the person so affected.

Online restaurant guide and food delivery app Zomato is present in over 20 countries and claims to have over 90 million user visits per month.

"Recently, our security team has discovered an incident that may have resulted in unauthorized access to account information (including name, email address and hashed password) for 17 million users on Zomato.

Although the users names and email addresses were accessed, the security with which Zomato stores passwords means that they are still secure."

"The passwords are hashed and salted. This means it can’t be converted back to the original password. Hashing is a mathematical function designed to turn a password into an unintelligible string of characters, repeatedly but without the possibility of easily being translated back to the source password; and salting is a random, unique string of characters added to a user's password before it is hashed, rendering it likely unintelligible even if the hash is translated."

"Over the next couple of days, we’ll be actively working to improve our security systems - we’ll be further enhancing security measures for all user information stored within our database, and will also add a layer of authorization for internal teams having access to this data to avoid any human breach."

"Although the hashed password cannot be converted back to plain text, as a safety measure, we have reset the passwords for all affected users and logged them out of the app and website. Our team is actively scanning all possible breach vectors and closing any gaps in our environment."

"In our security investigation, we have found no evidence of unauthorized access to financial and/or credit card information. All payment information on Zomato is stored in a highly secure PCI Data Security Standard (DSS) compliant vault - no payment information or credit card data has been leaked."

"Our team is actively scanning all possible breach vectors and closing any gaps in our environment."