Zomato says 17 mn user records stolen

Internet Desk May 18 | Updated on January 11, 2018 Published on May 18, 2017



Stolen information has email addresses, hashed passwords

Online restaurant-discovery and food ordering platform Zomato today admitted to a security breach.

In a blog post, the company said: "About 17 million user records from our database were stolen. The stolen information has user email addresses and hashed passwords."

In the post, it said hacked passwords cannot be converted into plain text and hence the password information of registered Zomato users are intact. The company also urged its users to change their passwords just to be on the safe side.

"Payment related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault. No payment information or credit card data has been stolen/leaked," the blog post said. Read full blog post here

According to, a user going by the online name of “nclay” has claimed to have hacked Zomato. It further said the user is selling the stolen data on a Dark Web marketplace. The data includes emails and password hashes of registered Zomato users while the price set for the whole package is USD 1,001.43 (BTC 0.5587). BTC refers to bitcoins.

Also read: We need a robust cyber security policy

Cyber attacks are increasing faster than in other countries: F-Secure

The startup’s disclosure comes at a time when the world is grappling with the cyber attack by ransomware ‘WannaCry’, which has impacted IT networks in over 150 countries.

Zomato said the data theft was discovered recently by its security team, without indicating the exact time or if it was related to the ‘WannaCry’ ransomware attack.

“Our team is actively scanning all possible breach vectors and closing any gaps in our environment. So far, it looks like an internal (human) security breach — some employee’s development account got compromised,” it said.

Assuring its users that their credit card information on Zomato is fully secure, the company said “payment related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault“.

As a precaution, Zomato said it has reset passwords for all affected users and logged them out of its app and website and all of the user accounts were secure.

It, however, encouraged users to change password for any other services where they were using the same password.

Zomato said over 120 million users visit its site every month.

The company said it will be actively working to plug any more security gaps in its systems.

(With additional inputs from PTI)

Published on May 18, 2017
This article is closed for comments.
Please Email the Editor