In a major cybersecurity breach that has taken place at Zomato, user account details and password hashes of over 17 million users were stolen by an anonymous hacker. Moving ahead with the stolen data, the hacker has put up those details up for sale on Dark Web, at an asking price of $1,001.43 (BTC 0.5587) — BTC for Bitcoins.
The data breach has been acknowledged by Zomato in a blog post,
The reason you’re reading this blog post is because of a recent discovery by our security team – about 17 million user records from our database were stolen. The stolen information has user email addresses and hashed passwords.
However, before you start worrying about your personal details, the hack isn’t actually that big in magnitude.
Your passwords are stolen in hash formats, which are encrypted forms of the general english language password you enter. These hash keys are pure garbage values and the possibility of decrypting them back to see and hack your original password are extremely rare. Also do note, that the hacker does not have access to Zomato’s database, so no bulk password change can be done by the hacker.
Still on a note of caution, it is advisable that you change your passwords, just to be extra secured.
Coming to your payment details. Now, even though your names and a few other details — which in any case are available publicly on various social media networks — may have been stolen, your credit card details or any payment methods that you may have saved on Zomato, are safe and intact.
This is largely because no online commerce company stores these two details on the same location and the same datasets. Zomato too, on its part, has clarified the same and said,
Payment related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault. No payment information or credit card data has been stolen/leaked.
On its part, Zomato has reset the passwords for all affected users and logged them out of the app and website. The company is further scanning all possible breach vectors and closing any gaps in their environment. As far as it can go, this looks like an internal (human) security breach – some employee’s development account got compromised.