Online restaurant guide and food ordering app Zomato will be reaching out to 6.6 million users, whose ‘hashed’ passwords could be ‘theoretically decrypted’ in order to get them to update their account security.
The company had reported yesterday that about 17 million user records have been stolen from its database, which included user email addresses and ‘hashed’ passwords but no payment information or credit card data.
“6.6 million users had password hashes in the ‘leaked’ data, which can be theoretically decrypted using brute force algorithms,” Zomato said in a blogpost.
A hashed password is series of random-looking characters used by companies for security reasons to protect users. The company will be reaching out to these users to get them to update their password on all services where they might have used the same password, it added.
Zomato said it was able to get in touch with the hacker, who had put the stolen user data up for sale. The hacker has agreed to destroy all copies of the stolen data and take the data off the dark web marketplace.
The startup further said it will be introducing a bug bounty programme on Hackerone for security researchers very soon, which was the key demand of the hacker.
“The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps,” Zomato said.
The company said hacker also gave it all the details on the way he/she got access to this database. “We will post this information on our blog once we close the loopholes, so that others can learn from our mistakes”, it added.