Another website has been hacked and had its customers’ information put up for sale on the dark web. But this particular incident was resolved when the hacker agreed to remove the listing on the condition that the victim introduces a bug bounty program.
Restaurant search service Zomato, which is available in more than 20 countries around the world, yesterday revealed it had discovered 17 million user records from its database had been stolen. 60 percent of those affected use third-party authenticators such as Google and Facebook to log into the service, so these credentials weren’t at risk, but that left around 6.6 million password and email combinations exposed.
Zomato claimed the hashed passwords “cannot be easily converted back to plain text,” but as they use the notoriously weak MD5 hashing algorithm with a very short salt, Motherboard and other security researchers managed to convert just over half from a sample set back to their original state.
MD5 with a 2 char hex salt - WTF?! "Restaurant App Zomato Says Your Stolen Password Is Fine. But Is It?" https://t.co/2NBTnAdosF— Troy Hunt (@troyhunt) May 18, 2017
Zomato said it has since patched the vulnerability that made the hack possible and reset the passwords for all affected users. It stresses that payment information is stored separately from the stolen data, meaning no credit/debit card details were compromised.
Somewhat unusually, Zomato eventually contacted the hacker responsible. The person agreed to remove the leaked data from the dark web and destroy all the copies, but only if the company acknowledged the vulnerabilities in its system and offers to compensate security researchers who discover bugs. Zomato has had an account on the Hacker One disclosure service for over a year, and will now start paying people who report security issues.
The hacker told Motherboard they found the vulnerability in the Zomato’s infrastructure around one year ago. They reported it but received no reply. "It does not justify the pain I caused to them, but it is a reason," they said.