Hacker removes 6.6 million Zomato customer passwords from dark web after company agrees...

By midian182 ยท 8 replies
May 19, 2017
Post New Reply
  1. Another website has been hacked and had its customers’ information put up for sale on the dark web. But this particular incident was resolved when the hacker agreed to remove the listing on the condition that the victim introduces a bug bounty program.

    Restaurant search service Zomato, which is available in more than 20 countries around the world, yesterday revealed it had discovered 17 million user records from its database had been stolen. 60 percent of those affected use third-party authenticators such as Google and Facebook to log into the service, so these credentials weren’t at risk, but that left around 6.6 million password and email combinations exposed.

    Zomato claimed the hashed passwords “cannot be easily converted back to plain text,” but as they use the notoriously weak MD5 hashing algorithm with a very short salt, Motherboard and other security researchers managed to convert just over half from a sample set back to their original state.

    Zomato said it has since patched the vulnerability that made the hack possible and reset the passwords for all affected users. It stresses that payment information is stored separately from the stolen data, meaning no credit/debit card details were compromised.

    Somewhat unusually, Zomato eventually contacted the hacker responsible. The person agreed to remove the leaked data from the dark web and destroy all the copies, but only if the company acknowledged the vulnerabilities in its system and offers to compensate security researchers who discover bugs. Zomato has had an account on the Hacker One disclosure service for over a year, and will now start paying people who report security issues.

    The hacker told Motherboard they found the vulnerability in the Zomato’s infrastructure around one year ago. They reported it but received no reply. "It does not justify the pain I caused to them, but it is a reason," they said.

    Permalink to story.

  2. stewi0001

    stewi0001 TS Evangelist Posts: 1,681   +1,080

    Not sure if the hacker is a good guy or not... Maybe Chaotic Neutral. XD
    psycros and USAvenger like this.
  3. Kibaruk

    Kibaruk TechSpot Paladin Posts: 3,286   +902

    Yeah, destroy all the copies: "done", lol.

    It's as true as "please delete our old photos" "done"...
    psycros and Reehahs like this.
  4. Yes definitely a problem with the internet, once they are out there, there is no 'destroy all copies', but if the debit/credit info wasn't compromised and the flaw fixed and passwords changed, it should mostly be o.k.
  5. Reehahs

    Reehahs TS Guru Posts: 574   +316

    The company is at fault for not heeding the good Samaritan warning.
  6. Nobina

    Nobina TS Evangelist Posts: 1,335   +843

    He might do something good now but who knows what he'll do tommorow, can't really trust these people and their ethics.
  7. Camikazi

    Camikazi TS Evangelist Posts: 925   +284

    You can say the same about anyone with any kind of power.
  8. stewi0001

    stewi0001 TS Evangelist Posts: 1,681   +1,080

    Even He-Man? ;P
  9. Camikazi

    Camikazi TS Evangelist Posts: 925   +284

    He doesn't count, he's still trying to figure out What's Going On!
    stewi0001 likes this.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...