Well, who said gentlemanly conduct is dead and that thieves have no honor? Apparently, the Zomato hacker has agreed to not sell all the user-names and passwords he has managed to steal, in return for the company to set up a bug bounty program! Whoever heard of a hacker doing a thing like that?
A day or so ago, Indian Restaurant guide Zomato suffered a massive hack in which information belonging to millions of users was stolen by an anonymous hacker. There was a state of panic when the company announced that the hacker had stolen at least 17 million user records. This included e-mails and hashed passwords. Thankfully, credit card information was not stolen.
All the stolen information was put up for sale — as is usually the practice when someone seals a large number of user account information — however, our thief turned to be out with some noble motives.
While he had initially put up those details up for sale on Dark Web, at an asking price of $1,001.43 (BTC 0.5587), apparently, Zomato has arrived at an agreement with the hacker wherein he has agreed to remove the ad for the sale of the data on the condition that the company initiates and maintains a bug bounty program.
The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers.
The company also confirmed its intentions of introducing a bug bounty program with its attendant rewards.
We are introducing a bug bounty program on Hackerone very soon. With that assurance, the hacker has in turn agreed to destroy all copies of the stolen data and take the data off the dark web marketplace. The marketplace link which was being used to sell the data on the dark web is no longer available.
The company also acknowledged that 5 points of data were stolen including user IDs, Names, Usernames, Email addresses, and Password Hashes with salt. No other information was exposed to anyone. However, independent sources including the motherboard state that the password was converted into text easily enough.
Well, thankfully this particular issue had been averted. It should be taken as a wakeup call by all the companies out there that are dealing in massive data. Security is very important to maintain your customer’s trust as well as their personal safety — and it should be dealt with as such.