BOOM

Trending Searches

    SUPPORT
    BOOM

    Trending News

      • Fact Check 
        • Fast Check
        • Politics
        • Business
        • Entertainment
        • Social
        • Sports
        • World
      • Law
      • Explainers
      • News 
        • All News
      • Decode 
        • Impact
        • Scamcheck
        • Life
        • Voices
      • Media Buddhi 
        • Digital Buddhi
        • Senior Citizens
        • Videos
      • Web Stories
      • BOOM Research
      • BOOM Labs
      • Deepfake Tracker
      • Videos 
        • Facts Neeti
      • Home-icon
        Home
      • About Us-icon
        About Us
      • Authors-icon
        Authors
      • Team-icon
        Team
      • Careers-icon
        Careers
      • Internship-icon
        Internship
      • Contact Us-icon
        Contact Us
      • Methodology-icon
        Methodology
      • Correction Policy-icon
        Correction Policy
      • Non-Partnership Policy-icon
        Non-Partnership Policy
      • Cookie Policy-icon
        Cookie Policy
      • Grievance Redressal-icon
        Grievance Redressal
      • Republishing Guidelines-icon
        Republishing Guidelines
      • Fact Check-icon
        Fact Check
        Fast Check
        Politics
        Business
        Entertainment
        Social
        Sports
        World
      • Law-icon
        Law
      • Explainers-icon
        Explainers
      • News-icon
        News
        All News
      • Decode-icon
        Decode
        Impact
        Scamcheck
        Life
        Voices
      • Media Buddhi-icon
        Media Buddhi
        Digital Buddhi
        Senior Citizens
        Videos
      • Web Stories-icon
        Web Stories
      • BOOM Research-icon
        BOOM Research
      • BOOM Labs-icon
        BOOM Labs
      • Deepfake Tracker-icon
        Deepfake Tracker
      • Videos-icon
        Videos
        Facts Neeti
      Trending Tags
      TRENDING
      • #Operation Sindoor
      • #Pahalgam Terror Attack
      • #Narendra Modi
      • #Rahul Gandhi
      • #Waqf Amendment Bill
      • #Arvind Kejriwal
      • #Deepfake
      • #Artificial Intelligence
      • Home
      • India
      • UPDATE: Zomato's Data Theft...
      India

      UPDATE: Zomato's Data Theft Disclosure Raises More Questions Than It Answers

      Zomato's disclosure about a cyber theft is commendable but is it downplaying a serious attack?

      By - Karen Rebelo |
      Published -  18 May 2017 7:26 PM IST
    • Boomlive

      Zomato's disclosure that it suffered a cyber security breach and a subsequent update about it plugging the leak raises questions whether India's most well funded food tech company has been fully transparent about the extent of the attack and potential financial risks to customers.

      The start-up led by Deepinder Goyal, on May 18th said 17 million user records were stolen from its database but that no payment or credit card data was stolen or leaked.

      In its official blog, the online restaurant guide and food delivery app said since the stolen information was encrypted it could not easily be converted to plain text by hackers.

      [blockquote width='100']

      "We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text. We however, strongly advise you to change your password for any other services where you are using the same password," Gunjan Patidar, Chief Technology Officer wrote.

      [/blockquote]

      However, the blog post lacked specifics about when and where the attack took place and how Zomato discovered the same. The post also did not talk about accounts that were tied to Facebook and Google or whether Zomato had reached out to affected users, individually.

      (In its updated post the company now says it did not have any passwords for users that used Facebook and Google to log in to its site and therefore those passwords are safe.)

      There is also evidence that the original blog post was edited a few times as this tweet from Pranesh Prakash, Policy Director at the Centre for Internet and Society (CIS) in Bangalore, suggests.

      @HackRead @Zomato The old #Zomato blog post gave very bad advice and didn't mention salting. Revised post mentions salting and gives better advice #databreach pic.twitter.com/a4JROjBPrl

      — Pranesh Prakash (@pranesh) May 18, 2017

      ZOMATO DATA WAS UP FOR SALE ON DARK WEB

      Several hours before Zomato's first official blog post on the breach, HackRead reported 17 million hacked account details from Zomato were up for sale on Dark Web. HackRead also reported that it found a vendor going by the name "nclay", who claimed to have hacked Zomato and was demanding $1,001.43 (Bitcoin 0.5587) for the data.

      This is important as Zomato's original post did not mention the stolen data was up for sale on Dark Web.

      "Zomato is spot on about everything in their blog post but one and the most crucial thing they didn't mention properly is that fact that the leaked passwords are encrypted with simple MD5 hashes which can be decrypted within a few seconds," Waqas Amir who broke the story for HackRead told BOOM in an email. Amir, who is based in Milan, is also the founder and editor of HackRead.

      MD5 is an algorithm used to hash passwords but has been known to suffer from extensive vulnerabilities.

      Amir told BOOM that he reached out to Zomato through a contact form on their website and messaged them through their verified Facebook page, before publishing his story but did not receive a response from the company.

      BOOM reached out to Zomato separately but the company declined to comment beyond what the blog posts state.

      PLUGGING THE LEAK

      In a second blog post, Zomato said it reached out to the hacker that put the user data up for sale on the Dark Web marketplace and had plugged the breach by promising the hacker that there would be a well-funded bug bounty program run on Hackerone. A bug bounty is a reward a company gives to anyone who reports a bug in their software.

      [blockquote width='100']

      "The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers," Zomato said.

      [/blockquote]

      Zomato also said the hacker had agreed to destroy all copies of the stolen data and take the data off the Dark Web marketplace.

      [blockquote width='100']

      "We are introducing a bug bounty program on Hackerone very soon. With that assurance, the hacker has in turn agreed to destroy all copies of the stolen data and take the data off the dark web marketplace. The marketplace link which was being used to sell the data on the dark web is no longer available."

      [/blockquote]

      Zomato finally acknowledged the full extent of the problem.

      [blockquote width='100']

      " ...we are going to be cautious and paranoid, as this is a sensitive matter. 6.6 million users had password hashes in the ‘leaked’ data, which can be theoretically decrypted using brute force algorithms. We will be reaching out to these users to get them to update their password on all services where they might have used the same password."

      [/blockquote]

      Indian companies are notorious for under reporting and not disclosing cyber attacks on their networks and Zomato’s disclosure in this regard is commendable.

      But it took criticism for the company to stop downplaying the attack and acknowledge the vulnerabilities in its systems.

      "There were two clear objections. First, the fact that the way they stored the password and the "hashing algorithm" they used for this purpose, was completely inappropriate," Pranesh Prakash, Policy Director at CIS, told BOOM.

      "Second is that the initial statements they put out grossly underplayed the threat to users' passwords, and provided bad advice. Thankfully, they corrected that in later updates on their blog," Prakash said.

      Sources

      https://blog.zomato.com/post/160791675411/security-notice

      https://blog.zomato.com/post/160807042556/security-notice-update

      https://www.hackread.com/zomato-hacked-17-million-accounts-sold-on-dark-web/

      Tags

      Appcyber attackcyber-securityFood appransomwarewannacryZomato
      Read Full Article
      Next Story
      Our website is made possible by displaying online advertisements to our visitors.
      Please consider supporting us by disabling your ad blocker. Please reload after ad blocker is disabled.
      X

      Subscribe to BOOM Newsletters

      👉 No spam, no paywall — but verified insights.

      Please enter a Email Address
      Subscribe for free!

      Stay Ahead of Misinformation!

      Please enter a Email Address
      Subscribe Now🛡️ 100% Privacy Protected | No Spam, Just Facts
      By subscribing, you agree with the Terms & conditions and Privacy Policy connected to the offer

      Thank you for subscribing!

      You’re now part of the BOOM community.

      Or, Subscribe to receive latest news via email
      Subscribed Successfully...
      Copy HTMLHTML is copied!
      There's no data to copy!