Update: Zomato says it’s been able to “open a line of communication with the hacker” who has been “very cooperative with us.” It said the hacker wanted the company to “acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps.” It added that the hacker has agreed to “destroy all copies of the stolen data” and remove it from the dark web marketplace, but continued to urge affected users to change their passwords as a precaution.
Early on Thursday, online restaurant guide Zomato revealed it’d been hit by hackers, estimating that login details had been stolen from 17 million of its 120 million users.
In a post on its site the India-based company said the “recent” discovery involved the theft of “email addresses and hashed passwords.” It insisted that no payment-related information had been nabbed in the attack as that data is held separately and wasn’t targeted.
However, the company said it would “strongly advise” all of its users to reset their passwords as a precautionary measure, and also to reset it with any other services where the same password is used. For the 17 million users Zomato could positively identify as having been directly affected, the company said it’d forced a password change and was notifying them of the move so they could then reset it themselves.
The service, founded in 2008, is a Yelp-like user-reviewed directory of more than 1.2 million popular restaurants, cafes, and bars in more than 10,000 cities across 24 countries, many of which are located in the United States. The service also offers food deliveries and lets you book tables. Digital Trends included Zomato in its “best apps” listings back in 2013.
Later on Thursday, Zomato updated its post, reminding its users that those who login via services such as Facebook and Google needn’t worry about the breach, as it holds no login information for such users. “We don’t have any passwords for these accounts; therefore, these users are at zero risk,” the company confirmed.
Zomato promised its users that “over the next couple of days and weeks” it’ll be working to “plug any more security gaps that we find in our systems,” while at the same time “further enhancing security measures for all user information stored within our database.”
So just to reiterate, if you’re a Zomato user, for peace of mind go and change your password now, as well as on any other services where you use the same password.
- Hack affects 2 million T-Mobile customers, unclear if passwords included
- With a public API, Venmo’s default privacy settings expose private user data
- Hacked Chrome extension disguised as legitimate version steals logins
- British Airways data hack hits 380,000 recent customers
- Firefox’s new Monitor service will let you know if you’ve been hacked