Popular restaurant search and discovery service Zomato was in the news on Thursday when it revealed that about 17 million user records were stolen from its database. Zomato said that the stolen information had user email addresses and hashed passwords, but no credit card information. Now, the company has revealed that it’s been in touch with the hacker, who has revealed how the information was stolen, and Zomato says it has since plugged the leak.
In a fresh blog post, Zomato says “the hacker has been very cooperative”, and he/ she requested that Zomato “run a healthy bug bounty program for security researchers”, a request that the company has accepted.
“We are introducing a bug bounty program on Hackerone very soon,” the company says in the blog post. “With that assurance, the hacker has in turn agreed to destroy all copies of the stolen data and take the data off the dark Web marketplace. The marketplace link which was being used to sell the data on the dark Web is no longer available.”
Zomato reiterated that only user IDs, names, usernames, email addresses, and password hashes with salt were leaked, but since the password can be cracked using brute force techniques, it will be getting in touch with the 6.6 million users whose password hashes were leaked to advise them to change their password on all services where they use the same password.
“The hacker also gave us all the details on the way he/she got access to this database. We will post this information on our blog once we close the loopholes, so that others can learn from our mistakes,” an indication that there might be loopholes other than what the hacker already exploited, ones that the company is looking to fix.
“We look forward to working more closely with the ethical hacker community, to make Zomato a safer place for our users,” the company added.