Zomato discovered this week that user emails and hashed passwords had been stolen from its database and the firm says it is working with the hacker responsible to mitigate the situation.
Yes you did read that right, Zomato is working with the hacker that stole its data and put it up for sale on the dark web.
“The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps,” Zomato wrote in a blog post.
The firm goes on to say that the hacker simply wanted it to run a healthy bug bounty program for security researchers which it will now be doing.
“We are introducing a bug bounty program on Hackerone very soon. With that assurance, the hacker has in turn agreed to destroy all copies of the stolen data and take the data off the dark web marketplace. The marketplace link which was being used to sell the data on the dark web is no longer available,” said the firm.
According to Zomato 6.6 million users had password hashes with salt stolen and only five data points were exposed user IDs, names, usernames, email addresses and the aforementioned password hashes with salt. In total 17 million user records were stolen during the breach.
The firm has said that it will reach out to users who may have used the same passwords on other services to change those passwords but has also advised that if your Zomato password is the same as passwords to other sites that you change those.
The firm has said that all payment information remains secure and none of that data was stolen.
Zomato will also publish details about how the hacker got in once the holes have been plugged.