Skip to main content

Zomato hacked, 17 million users’ accounts compromised by data theft

zomato data hack
Digital Trends
Update: Zomato says it’s been able to “open a line of communication with the hacker” who has been “very cooperative with us.” It said the hacker wanted the company to “acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps.” It added that the hacker has agreed to “destroy all copies of the stolen data” and remove it from the dark web marketplace, but continued to urge affected users to change their passwords as a precaution.

Early on Thursday, online restaurant guide Zomato revealed it’d been hit by hackers, estimating that login details had been stolen from 17 million of its 120 million users.

In a post on its site the India-based company said the “recent” discovery involved the theft of “email addresses and hashed passwords.” It insisted that no payment-related information had been nabbed in the attack as that data is held separately and wasn’t targeted.

However, the company said it would “strongly advise” all of its users to reset their passwords as a precautionary measure, and also to reset it with any other services where the same password is used. For the 17 million users Zomato could positively identify as having been directly affected, the company said it’d forced a password change and was notifying them of the move so they could then reset it themselves.

The service, founded in 2008, is a Yelp-like user-reviewed directory of more than 1.2 million popular restaurants, cafes, and bars in more than 10,000 cities across 24 countries, many of which are located in the United States. The service also offers food deliveries and lets you book tables. Digital Trends included Zomato in its “best apps” listings back in 2013.

Later on Thursday, Zomato updated its post, reminding its users that those who login via services such as Facebook and Google needn’t worry about the breach, as it holds no login information for such users. “We don’t have any passwords for these accounts; therefore, these users are at zero risk,” the company confirmed.

Zomato promised its users that “over the next couple of days and weeks” it’ll be working to “plug any more security gaps that we find in our systems,” while at the same time “further enhancing security measures for all user information stored within our database.”

So just to reiterate, if you’re a Zomato user, for peace of mind go and change your password now, as well as on any other services where you use the same password.

Editors' Recommendations

Trevor Mogg
Contributing Editor
Not so many moons ago, Trevor moved from one tea-loving island nation that drives on the left (Britain) to another (Japan)…
Elon Musk’s Starlink satellites hacked by $25 homemade device
A Starlink dish next to an RV.

A $25 hacking tool that can seemingly breach Starlink’s internet terminals has been revealed by a security researcher.

As reported by Wired and Gizmodo, Lennert Wouters, who works at Belgian university KU Leuven, showcased how to infiltrate the satellite dishes at the Black Hat Security Conference.

Read more
Hacking-as-a-service lets hackers steal your data for just $10
A depiction of a hacker breaking into a system via the use of code.

A new (and cheap) service that offers hackers a straightforward method to set up a base where they manage and perform their cyber crimes has been discovered -- and it’s gaining traction.

As reported by Bleeping Computer, security researchers unearthed a program called Dark Utilities, effectively providing a command and control (C2) center.

Read more
Personal data of 69 million Neopets users is now up for sale after a data breach
Person typing on a computer keyboard.

Neopets, an aged website that lets users keep virtual pets and take care of them, just suffered a major data breach. Aside from the personal data of over 69 million users, the hacker was able to obtain the website's source code.

This isn't the first time Neopets has faced a massive leak, but this time around, user data is currently being sold for crypto -- and the leak includes more than just usernames and passwords.

Read more