Zomato introduces bounty programme after hackers steal data

19 May 2017 - 14:25 By Bruce Gorton
subscribe Just R20 for the first month. Support independent journalism by subscribing to our digital news package.
Subscribe now
Image: iStock

Restaurant data base Zomato is set to introduce a bug bounty programme after a hacker stole 17 million users' data.

According to Zomato‚ the person behind the hack came forward and told them exactly how they did it‚ and agreed to delete the data in exchange for the company setting up a bounty programme for security researchers.

The data had previously been up for auction on the dark web.

  • SA 'ripe for cyber attacks'A prominent cyber-security expert has warned that South Africa was "years behind" other countries regarding legislation regulating cyberspace while also calling banks that urge their customers to bank online "unethical". 

"The marketplace link which was being used to sell the data on the dark web is no longer available‚" Zomato's chief technology officer Gunjan Patidar said in a blog post.

"He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps‚" Patidar said.

As a result the company will be introducing a bug bounty on Hackerone‚ a service that allows companies and security researchers to coordinate their efforts.

  • Hackers steal 17 million users' data from restaurant app ZomatoIndia's largest restaurant and food delivery app Zomato announced Thursday that the data of 17 million users had been stolen from its database, including names, email addresses and protected passwords. 

Zomato aren't the only ones to use the platform.

Registration is currently open for hackers who want to hack the US Air Force - with a chance of earning "thousands of dollars" for finding security flaws in their systems.

According to Zomato‚ the hacker revealed how they got access to Zomato's database‚ and they will post that information once they've closed the loopholes.

According to the company‚ five data points were exposed by the hack‚ "user IDs‚ Names‚ Usernames‚ Email addresses‚ and Password Hashes with salt".

However‚ the company has said it will be "cautious and paranoid" - and will be contacting the 6.6 million users whose password hashes were included in the data leak to get them to update their passwords on all services where they might have used the same one.

subscribe Just R20 for the first month. Support independent journalism by subscribing to our digital news package.
Subscribe now