17 million customer records were stolen from the database of restaurant search facilitator Zomato, exposing user email addresses and hashed passwords. After the attack, the hacker put the data up for sale on the dark web.
The company assures users that all payment-related information is safely kept in a PCI Data Security Standard-compliant vault and hackers had no access to payment or credit card data. Zomato is investigating the breach and all possible gaps, and has reset all passwords and logged users out of all platforms.
“We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password,” the company wrote on its blog. “This means your password cannot be easily converted back to plain text. We however, strongly advise you to change your password for any other services where you are using the same password.”
For now, the incident seems to have been an internal security breach due to human error — an employee’s account was compromised. To enhance security, the company will add a layer of authorization for employees who have access to such information.
This is not the first time Zomato has dealt with a major security breach — two years ago the company experienced the first cyberattack on its infrastructure. Zomato has a total of 120 million users.