Zomato breach: 17 million user email ids stolen; passwords, payment info safe

Key highlights:

• Zomato said the email ids and hashed passwords of 17 million users have been stolen from its site.
• Banking transactions information is still secure with Zomato.
• Zomato will be working to plug gaps in security system over the next few weeks.

Restaurant search and discovery platform, Zomato, on Thursday said that it has had a data breach in which 17 million users’ information has been compromised.

“The reason you’re reading this blog post is because of a recent discovery by our security team - about 17 million user records from our database were stolen. The stolen information has user email addresses and hashed passwords,” Zomato said in a blog post.

Further Zomato added, “As a precaution, we have reset the passwords for all affected users and logged them out of the app and website.”

The company claimed to have over 120 million users visiting its site every month.

Zomato urged its customers to change their passwords on its site as a safety precaution.

“The hashed password cannot be converted/decrypted back to plain text - so the sanctity of your password is intact in case you use the same password for other services. But if you are paranoid about security like us, we encourage you to change your password for any other services where you are using the same password,” the company added.

However payment related information the company said was stored separately from email ids and is still safe.

“Payment related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault. No payment information or credit card data has been stolen/leaked,” Zomato said.

The company has urged its affected user base to contact customer care support at – support@zomato.com.

“Our team is actively scanning all possible breach vectors and closing any gaps in our environment. So far, it looks like an internal (human) security breach - some employee’s development account got compromised,” Zomato said.

The company said that over the next couple of days and weeks, the site will be working to plug any more security gaps.

“We’ll be further enhancing security measures for all user information stored within our database. A layer of authorisation will be added for internal teams having access to this data to avoid the possibility of any human breach. We regret any disruption this may cause and appreciate your immediate attention to this information,” Zomato said.