Last week we brought you news that restaurant review app Zomato had experienced a data breach. The firm has now detailed exactly what happened and everybody could learn something from the incident.
The firm recounts a tale of how 000webhost’s user database was leaked online in 2015. This leak, says Zomato, contained passwords in plain text.
Why does a breach of a service not connected to Zomato matter? Well one of the apps developers had an account with the hosting service and he used the same email and password combination on GitHub. Not very smart sir.
“With the login credentials for the developer, the hacker was able to use the developer’s password to get into his Github account and review one of our code repositories to which the developer had access,” Zomato writes on its blog.
With that code the hacker was able to find a vulnerability that helped him gain access to the Zomato database via remote code execution.
The firm says that while there is a risk that somebody other than its devs have access to the code, that code is becoming more outdated everyday.
In a bid to prevent this from happening again Zomato says that two-factor authentication on GitHub is now mandatory and has been for a few months.
As for the hacker – Zomato claims they were an ethical hacker that simply wanted the firm to launch a bug bounty program that would reward hard working white hats such as himself for the hard work they do. Putting the database up for sale on the dark web was the hackers way of getting Zomato’s attention, allegedly.
The Zomato ship then appears to be righted but we feel that this presents a teachable moment: recycling passwords is a bad idea.[Image – CC BY 2.0 waferboard]