You are here: Home / Internet Governance / News & Media / Hack exposes Zomato's weak protection of customer data, say Cyber experts

Hack exposes Zomato's weak protection of customer data, say Cyber experts

by Prasad Krishna last modified May 19, 2017 09:11 AM
Online restaurant aggregator says it will beef up security after 17 million user details were stolen.

The article by Alnoor Peermohamed was published in the Business Standard on May 19, 2017. Pranesh Prakash was quoted.


After details of over 17 million users was stolen and sold online, restaurants discovery and food ordering service has vowed to beef up security measures, including adding a layer of authentication for its own employees to access user data.

The company in a blog post claimed that the leak appeared to be an internal (human) security breach with an employee's development account getting compromised.

However, experts pointed out that was clearly lacking in its technique to protect customer data from unwanted elements .

Sajal Thomas, a consultant, claimed on Twitter that he verified the sample data being sold on the dark web and found that had used MD5 to hash passwords. MD5 is neither encryption nor encoding, and was known to be easily cracked by attacks and suffered from major vulnerabilities.

Further, he said had not used salting, a technique where random data was used as additional input to make cracking a hashed password much harder. Thomas said that it took just a few seconds to crack the hashed passwords to turn them into plain text.

in its blog post, however, claimed that it protected "passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password."

It said that this was to ensure that passwords could not be easily converted back to plain text. The firm claimed no credit or debit card information of users were leaked.

While says it has reset passwords of all the affected accounts, experts say that users whose data were leaked are still under threat.

"If you had a password for that you used elsewhere (on facebook or email), immediately change that password across all those accounts," tweeted Pranesh Prakash, policy director at the Centre for Internet and Society.

According to Prakash, a statement by misled people on how serious the security breach was by providing a false sense of security.

Subsequently, the company reworded its blog post to prompt users to change passwords of other services where they might have used the same password as their account.

The leak was first detected by security blog HackRead when it came across an online handle going by the name of "nclay" claiming to have hacked Zomato's database and selling its data on the dark web. Upon testing some of the data made public by the hacker, HackRead found that each account actually existed on

"The database includes emails and password hashes of registered users while the price set for the whole package is $1,001.43 (BTC 0.5587). The vendor also shared a trove of sample data to prove that the data is legit," HackRead wrote in its post.