Sunday , May 28 2017
Home / Tech News / Hacker removes 6.6 million Zomato customer passwords from dark web after company agrees to start bug bounty program

Hacker removes 6.6 million Zomato customer passwords from dark web after company agrees to start bug bounty program

Another website has been hacked and had its customers’ information put up for sale on the dark web. But this particular incident was resolved when the hacker agreed to remove the listing on the condition that the victim introduces a bug bounty program.

Restaurant search service Zomato, which is available in more than 20 countries around the world, yesterday revealed it had discovered 17 million user records from its database had been stolen. 60 percent of those affected use third-party authenticators such as Google and Facebook to log into the service, so these credentials weren’t at risk, but that left around 6.6 million password and email combinations exposed.

Zomato claimed the hashed passwords “cannot be easily converted back to plain text,” but as they use the notoriously weak MD5 hashing algorithm with a very short salt, Motherboard and other security researchers managed to convert just over half from a sample set back to their original state.

Zomato said it has since patched the vulnerability that made the hack possible and reset the passwords for all affected users. It stresses that payment information is stored separately from the stolen data, meaning no credit/debit card details were compromised.

Somewhat unusually, Zomato eventually contacted the hacker responsible. The person agreed to remove the leaked data from the dark web and destroy all the copies, but only if the company acknowledged the vulnerabilities in its system and offers to compensate security researchers who discover bugs. Zomato has had an account on the Hacker One disclosure service for over a year, and will now start paying people who report security issues.

The hacker told Motherboard they found the vulnerability in the Zomato’s infrastructure around one year ago. They reported it but received no reply. “It does not justify the pain I caused to them, but it is a reason,” they said.

About Techreview

Temmy Jonson I am Passionate blogger and Our page Tech Review Box, part of Tech Media, is an online tech publication from USA that publishes brilliant, insightful and useful stories on tech, science and culture for the educated youth. Our mission is to go deep and tell the news beyond the news, show how tech is changing lives,

Leave a Reply

Your email address will not be published. Required fields are marked *