But the story has a happy ending.
It sounds like it’s been a wild day for Zomato. Less than 24 hours ago, the restaurant discovery site that boasts over 120 million users every month announced that about 17 million user records were stolen from its database. But in a bizarre twist, just 12 hours later, the company posted that the problem had been resolved thanks to an apparently very friendly hacker. Maybe the site gave him a really good restaurant recommendation?
Initially, Zomato was extremely apologetic about the hack, though the brand also tried to play down its impact. Though users’ emails and logins were exposed, the site said that any stolen passwords were “hashed,” meaning they could not “be easily converted back to plain text.” Additionally, no payment information was stolen. Still, as a precaution, the site reset the passwords of all affected users and strongly advised users “to change your password for any other services where you are using the same password,” just in case. At that time, the company blamed the compromise on “an internal (human) security breach.”
However, later today, Zomato tweaked that initial announcement and issued a somewhat surprising update. “Since [the hack], we have taken multiple steps to mitigate the situation,” the company wrote. “One of these steps was to open a line of communication with the hacker who had put the user data up for sale.” Apparently, the brand lucked out. “The hacker has been very cooperative with us,” it continued. “He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps.” Along those lines, the hacker’s primary demand was that Zomato offer up a bounty program to reward security researchers who find problems with the site in the future.
Obviously, Zomato knows a good offer when it sees one. The company agreed to the bug bounty program demand, and as a result, “the hacker has in turn agreed to destroy all copies of the stolen data and take the data off the dark web marketplace.” The world’s nicest hacker also told Zomato how the hack happened, allowing the company to close any loopholes.
Still, fool me once, the restaurant site says it’s playing it safe. “Having said that, we are going to be cautious and paranoid, as this is a sensitive matter,” Zomato stated. “6.6 million users had password hashes in the ‘leaked’ data, which can be theoretically decrypted using brute force algorithms. We will be reaching out to these users to get them to update their password on all services where they might have used the same password.” Meanwhile, Zomato also might want to consider taking that hacker out to the nicest restaurant on their site.