If you use Zomato to look up restaurants, you may want to check your account: someone has infiltrated its system and got away with 17 million users’ IDs, usernames, names, email addresses and hashed passwords. The service says no payment information was stolen, since credit card details are stored separately. It also doesn’t have access to your Facebook or Google account, so you don’t have to worry about anything if you simply linked your account instead of making a standalone one for Zomato. But if you did make a standalone one for Zomato, it’s best to change your password ASAP.
This is totally separate incident from the WannaCry attacks, and the hacker who infiltrated the company’s system didn’t ask for ransom. He tried to sell his loot on the dark web instead but ended up pulling it down when the company agreed to his terms. They include acknowledging the security vulnerabilities in its system, to work with the ethical hacker community to patch them up and to launch a bug bounty program.
Zomato says it will amp up its website’s security measures, especially since it found out that 6.6 million of the stolen hashed passwords can “theoretically [be] decrypted using brute force algorithms.” It also promises to reveal how exactly the hacker got in, which the infiltrator himself revealed to the company, once it’s done fixing the vulnerabilities that made it possible.