Hacker stole Zomato passwords to force bug bounty

Food and menu app Zomato says it has reached a deal with the hacker that broke into its systems and stole around 17 million user credentials including passwords.

Zomato revealed the data breach late yesterday. It said it had reset the passwords for the users whose credentials were taken.

Although the unnamed hacker posted the stolen database for sale in a dark web marketplace, Zomato now says the person "has been very cooperative with us" and destroyed the purloined information.

"He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps," Zomato said.

"His/her key request was that we run a healthy bug bounty program for security researchers."

Rather than report the hacker to the police, Zomato said it will introduce a bug bounty on Hacker One "very soon" and work more closely with the ethical hacker community.

The hacker also provided details on how the Zomato database was broken into, the company said. It promised to "close the loopholes" and post information on this so others can learn from its mistakes.

Zomato said that as around 60 percent of its users authenticate via third-party OAuth service providers like Google and Facebook, the company does not have the passwords for their accounts - which limits the number of exposed users to 6.6 million, the company said.

In its initial notice, Zomato said the stolen passwords were hashed with an unspecified "one-way hashing algorithm, with multiple hashing iterations and individual salt per password".

Although Zomato said this means the passwords can't easily be converted back into plain text, it later advised caution.

"We are going to be cautious and paranoid, as this is a sensitive matter. 6.6 million users had password hashes in the ‘leaked’ data, which can be theoretically decrypted using brute force algorithms," it said.

"We will be reaching out to these users to get them to update their password on all services where they might have used the same password."

User IDs, real names, and email addresses were captured by the hacker along with passwords, the menu app company said. No credit card data, which is stored separately, was taken in the hack.