Online restaurant search and discovery service, Zomato, on Thursday admitted to an incident of hacking in which as many as 17 million of its users’ (out of 120 million) credentials were stolen. In a blog post published on the website, Zomato security team discovered that users records had been stolen. The blog post said that stolen information had the users’ email addresses and hashed passwords. The post, however, claims that the passwords could not be decrypted or brought back to plainly visible text, thus making the sanctity of the password intact. However, Zomato said that it is encouraging users to change the password of other devices that use the same password.
The blog post states that the information related to payments was stored separately from this stolen data in what Zomato claimed to be a highly secure PCI data Security Standard compliant vault. It assured the users that none of their payment information or credit card data had been leaked or stolen. However, the passwords have been reset for all the affected users and these users have been logged out of the app and the website, Zomato added. Zomato said that its security teams were scanning all the possible vectors of the breach and trying to close any such gaps in the environment. The company said, ” So far, it looks like an internal (human) security breach – some employee’s development account got compromised.”
But since the passwords have been reset for all affected users, they would not be affected, Zomato assured. It said that these users have been logged out and their accounts were secure. It said, “Your credit card information on Zomato is fully secure, so there’s nothing to worry about there.” The company said that it would be working over the next couple of days and weeks to plug any more security gaps that could be found in the system.