CALIFORNIA, U.S. - In another hack that has rocked the online world, about 17 million accounts of registered Zomato users was stolen and is now being sold on the Dark Web.
According to reports, the database that includes emails and password hashes of registered Zomato users is being sold on the Dark Web marketplace by a vendor that goes by the online handle of “nclay.”
The vendor, who has priced the whole package of data for $1,001.43, has claimed to have hacked the restaurant and event listing service, Zomato himself.
The vendor has also shared a trove of sample data to prove that the data is legit.
Further, reports tested the sample data on Zomato.com’s login page and discovered that every account mentioned in the list existed on Zomato.
Zomato, on Thursday, confirmed that about 17 million user records were stolen from its database.
It said in a blogpost on its website that the stolen information contains user email addresses and ‘hashed’ passwords but confirmed that no payment information or credit card data was stolen.
Zomato added that the data theft was discovered by its security team - but did not mention if the hack was related to the global ‘WannaCry’ ransomware attack that has so far infected 150 countries.
In a statement, Zomato said, “Our team is actively scanning all possible breach vectors and closing any gaps in our environment. So far, it looks like an internal (human) security breach - some employee’s development account got compromised.”
Zomato assured its users that their credit card information was fully secure, adding that the “payment related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault.”
It also said that as a precaution it has reset passwords for all affected users and logged them out of its app and website and that all of the user accounts were secure.
The company said it will be actively working to plug any more security gaps in its systems.
Zomato, that was founded by Deepinder Goyal and Pankaj Chaddah in 2008 was hacked by an Indian ethical hacker Anand Prakash in 2015 and the hacker reportedly discovered a critical security flaw in the renowned food and restaurant search engine giant data recall system, informing the company about the same.
The site boasts of over 90 million monthly visits across nearly 23 countries across the globe.
Meanwhile, the Dark Web marketplace, that has been flourishing since 2015 currently hosts several vendors selling highly sensitive data stolen from tech and social media giants and is also a thriving market for drugs, weapons, databases, fake documents and other illegal materials.