Zomato's disclosure that it suffered a cyber security breach and a subsequent update about it plugging the leak raises questions whether India's most well funded food tech company has been fully transparent about the extent of the attack and potential financial risks to customers.
The start-up led by Deepinder Goyal, on May 18th said 17 million user records were stolen from its database but that no payment or credit card data was stolen or leaked.
In its official blog, the online restaurant guide and food delivery app said since the stolen information was encrypted it could not easily be converted to plain text by hackers.
"We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text. We however, strongly advise you to change your password for any other services where you are using the same password," Gunjan Patidar, Chief Technology Officer wrote.
However, the blog post lacked specifics about when and where the attack took place and how Zomato discovered the same. The post also did not talk about accounts that were tied to Facebook and Google or whether Zomato had reached out to affected users, individually.
(In its updated post the company now says it did not have any passwords for users that used Facebook and Google to log in to its site and therefore those passwords are safe.)
There is also evidence that the original blog post was edited a few times as this tweet from Pranesh Prakash, Policy Director at the Centre for Internet and Society (CIS) in Bangalore, suggests.
— Pranesh Prakash (@pranesh) May 18, 2017
ZOMATO DATA WAS UP FOR SALE ON DARK WEB
Several hours before Zomato's first official blog post on the breach, HackRead reported 17 million hacked account details from Zomato were up for sale on Dark Web. HackRead also reported that it found a vendor going by the name "nclay", who claimed to have hacked Zomato and was demanding $1,001.43 (Bitcoin 0.5587) for the data.
This is important as Zomato's original post did not mention the stolen data was up for sale on Dark Web.
"Zomato is spot on about everything in their blog post but one and the most crucial thing they didn't mention properly is that fact that the leaked passwords are encrypted with simple MD5 hashes which can be decrypted within a few seconds," Waqas Amir who broke the story for HackRead told BOOM in an email. Amir, who is based in Milan, is also the founder and editor of HackRead.
MD5 is an algorithm used to hash passwords but has been known to suffer from extensive vulnerabilities.
Amir told BOOM that he reached out to Zomato through a contact form on their website and messaged them through their verified Facebook page, before publishing his story but did not receive a response from the company.
BOOM reached out to Zomato separately but the company declined to comment beyond what the blog posts state.
PLUGGING THE LEAK
In a second blog post, Zomato said it reached out to the hacker that put the user data up for sale on the Dark Web marketplace and had plugged the breach by promising the hacker that there would be a well-funded bug bounty program run on Hackerone. A bug bounty is a reward a company gives to anyone who reports a bug in their software.
"The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers," Zomato said.
Zomato also said the hacker had agreed to destroy all copies of the stolen data and take the data off the Dark Web marketplace.
"We are introducing a bug bounty program on Hackerone very soon. With that assurance, the hacker has in turn agreed to destroy all copies of the stolen data and take the data off the dark web marketplace. The marketplace link which was being used to sell the data on the dark web is no longer available."
Zomato finally acknowledged the full extent of the problem.
" ...we are going to be cautious and paranoid, as this is a sensitive matter. 6.6 million users had password hashes in the ‘leaked’ data, which can be theoretically decrypted using brute force algorithms. We will be reaching out to these users to get them to update their password on all services where they might have used the same password."
Indian companies are notorious for under reporting and not disclosing cyber attacks on their networks and Zomato’s disclosure in this regard is commendable.
But it took criticism for the company to stop downplaying the attack and acknowledge the vulnerabilities in its systems.
"There were two clear objections. First, the fact that the way they stored the password and the "hashing algorithm" they used for this purpose, was completely inappropriate," Pranesh Prakash, Policy Director at CIS, told BOOM.
"Second is that the initial statements they put out grossly underplayed the threat to users' passwords, and provided bad advice. Thankfully, they corrected that in later updates on their blog," Prakash said.