If you frequent the India-based restaurant and food review app Zomato, you should probably change your password immediately.
That’s the message conveyed in a blog post by the company on Thursday, after it announced that more than 10% of the company’s user records were stolen by a hacker.
No ad to show here.
“The reason you’re reading this blog post is because of a recent discovery by our security team – about 17 million user records from our database were stolen. The stolen information has user email addresses and hashed passwords,” it noted, adding over 120-million people visit Zomato monthly.
For those who had their user information stolen, the company does offer a few comforts to users.
One, it has issued forced password updates to the users affected, meaning that users are now obligated to update their passwords to use the service.
Two, it has opened up communication channels with the person responsible for the hack.
17m of Zomato’s 120m monthly users were affected, but no financial information has been leaked
“The hacker has been very cooperative with us,”the company notes in a later blog post.
“He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty programme for security researchers.”
Zomato also states that it will introduce a bounty programme “very soon”.
“With that assurance, the hacker has in turn agreed to destroy all copies of the stolen data and take the data off the dark web marketplace. The marketplace link which was being used to sell the data on the dark web is no longer available,” it adds.
Beyond that though, Zomato remains “cautious and paranoid”.
“Please note that only 5 data points were exposed – user IDs, Names, Usernames, Email addresses, and Password Hashes with salt. No other information was exposed to anyone (we have a copy of the ‘leaked’ database with us). Your payment information is absolutely safe, and there’s no need to panic,” it concludes.
Even if you weren’t affected by the hack, Zomato suggests that you change your password as a precaution.