February 23, 2018

Zomato's rotten security sees hackers make off with 6.6 million user passwords

19 May 2017, 12:30 | Ross Houston

Zomato's rotten security sees hackers make off with 6.6 million user passwords

Zomato's rotten security sees hackers make off with 6.6 million user passwords

Apparently, the Zomato hacker has agreed to not sell all the user-names and passwords he has managed to steal, in return for the company to set up a bug bounty program! According to information security blog and news website HackRead, the data was being peddled online on the "dark web" for about $1,000. "Your payment information is absolutely safe, and there's no need to panic", Zomato said.

Assuring its users that their credit card information on Zomato is fully secure, the company said "payment related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault".

Zomato, which claims to have 120m monthly users, said that no financial information or other details were accessed by the hackers. Nonetheless Zomato has asked all users to change passwords for any other services where they used the same password.

"The hashed password can not be converted/decrypted back to plain text - so the sanctity of password is intact in case users' use the same password for other services", the blog post read. "We don't have passwords for these accounts -therefore, these users are at zero risk".

Flynn rejects Senate subpoena, won't testify about Russian Federation and Trump campaign
Because he is a man of great integrity and experience", Senate Minority Leader Chuck Schumer said. The announcement was made by deputy attorney general Rod Rosenstein.

Will Smith brings fresh air of West Philly to Cannes jury
Ismael's Ghosts , starring two of France's best-known actresses, Marion Cotillard and Charlotte Gainsbourg , opened the festival. But it has confused a number of other groups that rely on clearer categorization, including Cannes and awards organizations.

Mario Kart 8 Deluxe 1.1 Update Removes "Offensive" Animation
It also changes the invincibility periods after a spin-out and Mii facial expressions, according to WCCF Tech. Starting positions in online races now properly reflect the order in which players join . 8.

It reiterated that only five data points were exposed - user IDs, Names, Usernames, Email addresses, and Password Hashes with salt.

"It is a good thing to see that Zomato was following a good practice of hashing the passwords before storing it on their database, but saying "The hashed password can not be converted/decrypted back to plain text" is misleading", Saket Modi, CEO and Co-founder of Delhi-based IT risk assessments provider Lucideus, told IANS.

MediaNama has written to Zomato to confirm whether it used the outdated MD5 algorithm, and whether it stored salt values on the same server as the passwords. "This has happened in the past", Modi informed. All the user accounts were secure, it stated.

Hence, nearly all the hacked and hashed accounts were broken. Also, the identity of the hacker has been kept confidential. In addition, the firm claimed that 60% of its user base actually logs in via OAuth services, using Google and Facebook and the like - so their passwords are safe. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. This isn't the first time though, as previously, an Indian hacker named Anand Prakash had hacked into the database to show the flaws and that was acknowledged by Zomato, with the measures taken to seal the loophole.

Other News

Trending Now

Gisele Bundchen: Tom Brady had a concussion a year ago
The NFL requires teams to list injuries to players and how it might impact their status for the upcoming game. Bundchen did not clarify when her husband suffered a concussion or whether it was medically diagnosed.

Brazil leader denies report he endorsed bribing ex-politician
Protests were planned for later Thursday. "Michel Temer is like that boyfriend who doesn't know it's over", one Twitter user said. Brazil's Real currency lost 8 percent of its value against the US dollar in the first half of Thursday. (AP Photo/Andre Penner).

Celtic reach the 100-goal mark in the Scottish Premiership
A win over their nearest rivals with mean Celtic win the league by a farcical 33 points. That's why I can change it about, the players know I trust them in their work.

Trump to give speech on Islam in Saudi Arabia
They will feast with Trump at a banquet and "forge a new partnership" in the war against extremism, the king said this week. Coinciding with the visit is a business forum on Saturday in Riyadh with CEOs from companies like GE and Dow Chemical.

Severe weather outbreak predicted in Oklahoma, Kansas
The National Weather Service has issued a tornado watch for a wide swath of Iowa, reports CBS affiliate KCCI in Des Moines . The Sheriff's Office asked members of the community to stop bringing donations for now until needs can be assessed.

Korean officials meet in attempt to fix ties
But a senior North Korean diplomat has said Pyongyang was open to having talks with Washington under the right conditions . Kim said North Korea would stage more nuclear and missile tests in order to flawless nuclear bombs needed to deal with U.S.

Mom warns parents after daughter chokes on fidget spinner
Joniec warns the toy's bushings can be easily dislodged, tuning into a potential choking hazard for children younger than 8. Joniec says she looked in her rearview mirror and saw her daughter's face turning red and drool coming from her mouth.

Big man leads Celtics to big win in series decider
Raise your hand if you thought the Washington Wizards would be eliminated in Game 7 thanks to an epic performance by Kelly Olynyk. Thomas spent the last few days talking about how legends are made in Game 7 , and that proved to be right.

WannaCry ransomware without kill switch discovered
Instead, organizations such as the NSA should disclose computer vulnerabilities to their manufacturers, Microsoft argues. Experts said another attack could be imminent and warned people to ensure their security is up to date.

Wisconsin and California lawmakers take aim at 'stealthing'
Unless people know that, Sargent told NBC, many might not know how to classify what happened to them. Melissa Sargent has introduced a bill to acknowledge stealthing as rape in her state, as well.