We have not found any evidence to confirm this breach as of now although we continue to investigate further with security experts, said Ixigo's Aloke Bajpai.
Two days after 18 million users’ data of online travel and hotel booking company Ixigo was reportedly hacked, its founder and CEO Aloke Bajpai has confirmed to FE Online that the company has not found any evidence so far to confirm the data breach.
“We have not found any evidence to confirm this breach as of now although we continue to investigate further with security experts,” Bajpai told FE Online.
The company on Saturday morning had sent an alert to its 100 million users over the alleged security breach and asked them to change their passwords.
“Currently it is an alleged breach but to be on the safer side we are going with all the pre-emptive security measures to contain any potential damage,” Bajpai said.
Bajpai has assured of no serious repercussions on the business so far even as the company has already reset its users’ security tokens.
A security token is a portable device that authenticates a person’s identity electronically by storing some sort of personal information. The owner plugs the security token into a system to grant access to a network service, according to investing and finance education portal Investopedia.
The supposed hack targeted names, email ID and passwords happened.
Bajpai said that the company stores only names and email IDs, not passwords. “We are a meta search engine, so the transactional or payment data goes to third party companies.”
With respect to passwords, Bajpai said that they are hashed or encrypted with a hashing algorithm. Such passwords are not easily unhashed while all leading websites globally too use it to secure user data.
Hashing is referred to representing any data in a unique set of characters.
“So even if someone allegedly gets access to data, it doesn’t mean they can hack that person’s account because there is literally no access to password,” said Bajpai.
Most of Ixigo users login through their Google and Facebook accounts or mobile numbers. Since mobile number login is OTP based which has two-factor authentication, it cannot be used to hack passwords. In terms of emails, Google and Facebook logins happen on a third party redirection model which are taken care of by Google and Facebook themselves,” said Bajpai.