After details of over 17 million users was stolen and sold online, restaurants discovery and food ordering service Zomato has vowed to beef up security measures, including adding a layer of authentication for its own employees to access user data.
The company in a blog post claimed that the leak appeared to be an internal (human) security breach with an employee's development account getting compromised.
However, cyber security experts pointed out that Zomato was clearly lacking in its technique to protect customer data from unwanted elements .
Sajal Thomas, a cyber security consultant with PwC, claimed on Twitter that he verified the sample data being sold on the dark web and found that Zomato had used MD5 to hash passwords. MD5 is neither encryption nor encoding, and was known to be easily cracked by attacks and suffered from major vulnerabilities.
Further, he said Zomato had not used salting, a technique where random data was used as additional input to make cracking a hashed password much harder. Thomas said that it took just a few seconds to crack the hashed passwords to turn them into plain text.
Zomato in its blog post, however, claimed that it protected "passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password."
It said that this was to ensure that passwords could not be easily converted back to plain text. The firm claimed no credit or debit card information of users were leaked.
While Zomato says it has reset passwords of all the affected accounts, experts say that users whose data were leaked are still under threat.
"If you had a password for Zomato that you used elsewhere (on facebook or email), immediately change that password across all those accounts," tweeted Pranesh Prakash, policy director at the Centre for Internet and Society.
If you had a password for Zomato that you used elsewhere, then IMMEDIATELY change that password across ALL those accounts. Use a pw manager! https://t.co/CbhtxCwlnD - Pranesh Prakash (@pranesh) May 18, 2017
According to Prakash, a statement by Zomato misled people on how serious the security breach was by providing a false sense of security.
Subsequently, the company reworded its blog post to prompt users to change passwords of other services where they might have used the same password as their Zomato account.
The leak was first detected by security blog HackRead when it came across an online handle going by the name of "nclay" claiming to have hacked Zomato's database and selling its data on the dark web. Upon testing some of the data made public by the hacker, HackRead found that each account actually existed on Zomato.
"The database includes emails and password hashes of registered Zomato users while the price set for the whole package is $1,001.43 (BTC 0.5587). The vendor also shared a trove of sample data to prove that the data is legit," HackRead wrote in its post.