Food-delivery app Zomato has come out with a detailed blog post on how 17 million users' records were compromised after a hacker breached its security infrastructure. Zomato later said that the leak was contained and they were in touch with the hacker. Zomato said the hacker was a 'security researcher' and 'ethical hacker'.
What happened with Zomato servers?
A section of Zomato's servers used to store user information was hacked into by an ethical hacker who downloaded five data points of 17 million users - user IDs, name, usernames, e-mail addresses and password hashes.
The code used to hack into Zomato's infrastructure was acquired by the hacker back in 2015 when he or she got into the code repository of one of the developers working for Zomato due to user database leak from a webhosting platform.
Who is an ethical hacker?
In simple terms, ethical hackers are the good guys of the hacking business. Those who hack a computer network to find out bugs and loopholes in it are called ethical hackers. Companies hire certified ethical hackers to keep an eye on their networks and bolster digital security.
Why did an ethical hacker hack Zomato?
"We were lucky we could get in touch with the person (hacker) in good time. As it turned out, the hacker was a security researcher (ethical hacker) who had put up the data for sale to get our attention (and/or to teach us a lesson). He/she only wanted us to launch a good bug bounty program on Hackerone, as he/she wanted to make sure that security researchers were rewarded well for their work," Zomato said in the blogpost.
The hacker had put up the downloaded information for sale on dark web.
There was a similar case in March earlier this year too. A Bengaluru-based ethical hacker Anand Praskah released a video demonstrating how he could exploit a loophole in the mobile app of taxi-service provider Uber to avail free rides for life. However, he had prior permission from Uber team.
In fact, Prakash had warned Zomato of potential loopholes in its system two years ago in 2015. He had warned Zomato's security was vulnerable and hackers could look into information of its users like their names, token numbers and even locations they had visited.
ALSO READ: Uber launches new food delivery app
How did Zomato fix the security breach?
Zomato accepted its flaws and agreed to plug holes in their systems. Zomato is now planning to run a bug bounty program on Hackerone, as the hacker demanded.
A bug bounty program is an invitation extended by software developers and websites for hackers to point out prospective security flaws or bugs in their systems, in return of some reward.
What about the leaked data of Zomato users?
"The hacker (also) shared the database with us and took the sales link down once we promised to launch the bug bounty program. He/she also agreed to destroy the data at their end immediately," mentioned the Zomato blog.
Zomato says that it will be 'cautious and paranoid' about its operations from now on. This may or may not help, but the additional digital security measures like increased layers of security and use of multiple environments are bound to make things better for Zomato and its users.