Food delivery app Zomato has said that the company has recently discovered that the data of its 17 million users has been stolen from its data base. The data includes e-mail addresses of Zomato users.
"The reason you're reading this blog post is because of a recent discovery by our security team - about 17 million user records from our database were stolen. The stolen information has user email addresses and hashed passwords," Gunjan Patidar from Zomato wrote on its blog.
Patidar, however, assured that the passwords of the users were safe. He wrote: "The hashed password cannot be converted/decrypted back to plain text - so the sanctity of your password is intact in case you use the same password for other services. But if you are paranoid about security like us, we encourage you to change your password for any other services where you are using the same password."
Zomato has logged out the affected users. "As a precaution, we have reset the passwords for all affected users and logged them out of the app and website. Our team is actively scanning all possible breach vectors and closing any gaps in our environment. So far, it looks like an internal (human) security breach - some employee's development account got compromised," the blog said.
Telling Zomato users not to panic, the blog post said that the payment-related information of Zomato users were safe as they were saved on a different server.
"Important note - payment related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault. No payment information or credit card data has been stolen/leaked," the Zomato blog said. "Your credit card information on Zomato is fully secure, so there's nothing to worry about there," it added.
Zomato said that they are working on plugging the security gaps. Here's the full text of Gunjan Patidar's blog:
Security Notice
Over 120 million users visit Zomato every month. What binds all of these varied individuals is the desire to enjoy the best a city has to offer, in terms of food. When Zomato users trust us with their personal information, they naturally expect the information to be safeguarded. And that's something we do diligently, without fail. We take cyber security very seriously - if you've been a regular at Zomato for years, you'd agree.
The reason you're reading this blog post is because of a recent discovery by our security team - about 17 million user records from our database were stolen. The stolen information has user email addresses and hashed passwords.
The hashed password cannot be converted/decrypted back to plain text - so the sanctity of your password is intact in case you use the same password for other services. But if you are paranoid about security like us, we encourage you to change your password for any other services where you are using the same password.
Important note - payment related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault. No payment information or credit card data has been stolen/leaked.
As a precaution, we have reset the passwords for all affected users and logged them out of the app and website. Our team is actively scanning all possible breach vectors and closing any gaps in our environment. So far, it looks like an internal (human) security breach - some employee's development account got compromised.
How can this stolen information be misused?
Since we have reset the passwords for all affected users and logged them out of the app and website, your zomato account is secure. Your credit card information on Zomato is fully secure, so there's nothing to worry about there.
What next?
Over the next couple of days and weeks, we'll be actively working to plug any more security gaps that we find in our systems.
"The reason you're reading this blog post is because of a recent discovery by our security team - about 17 million user records from our database were stolen. The stolen information has user email addresses and hashed passwords," Gunjan Patidar from Zomato wrote on its blog.
Patidar, however, assured that the passwords of the users were safe. He wrote: "The hashed password cannot be converted/decrypted back to plain text - so the sanctity of your password is intact in case you use the same password for other services. But if you are paranoid about security like us, we encourage you to change your password for any other services where you are using the same password."
Zomato has logged out the affected users. "As a precaution, we have reset the passwords for all affected users and logged them out of the app and website. Our team is actively scanning all possible breach vectors and closing any gaps in our environment. So far, it looks like an internal (human) security breach - some employee's development account got compromised," the blog said.
Telling Zomato users not to panic, the blog post said that the payment-related information of Zomato users were safe as they were saved on a different server.
"Important note - payment related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault. No payment information or credit card data has been stolen/leaked," the Zomato blog said. "Your credit card information on Zomato is fully secure, so there's nothing to worry about there," it added.
Zomato said that they are working on plugging the security gaps. Here's the full text of Gunjan Patidar's blog:
Security Notice
Over 120 million users visit Zomato every month. What binds all of these varied individuals is the desire to enjoy the best a city has to offer, in terms of food. When Zomato users trust us with their personal information, they naturally expect the information to be safeguarded. And that's something we do diligently, without fail. We take cyber security very seriously - if you've been a regular at Zomato for years, you'd agree.
The reason you're reading this blog post is because of a recent discovery by our security team - about 17 million user records from our database were stolen. The stolen information has user email addresses and hashed passwords.
The hashed password cannot be converted/decrypted back to plain text - so the sanctity of your password is intact in case you use the same password for other services. But if you are paranoid about security like us, we encourage you to change your password for any other services where you are using the same password.
Important note - payment related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault. No payment information or credit card data has been stolen/leaked.
As a precaution, we have reset the passwords for all affected users and logged them out of the app and website. Our team is actively scanning all possible breach vectors and closing any gaps in our environment. So far, it looks like an internal (human) security breach - some employee's development account got compromised.
How can this stolen information be misused?
Since we have reset the passwords for all affected users and logged them out of the app and website, your zomato account is secure. Your credit card information on Zomato is fully secure, so there's nothing to worry about there.
What next?
Over the next couple of days and weeks, we'll be actively working to plug any more security gaps that we find in our systems.
- We'll be further enhancing security measures for all user information stored within our database
- A layer of authorisation will be added for internal teams having access to this data to avoid the possibility of any human breach.