Zomato has revealed how a hacker managed to get the data of 17 million users‚ whose data had been subsequently offered up for auction on the dark web.
While Zomato's chief technology officer Gunjan Patidar said that this data did not include credit card data‚ it did include names‚ email addresses and protected passwords.
Fortunately the hacker then approached Zomato - and in exchange for the food database putting out a bug bounty to prevent repeat performances‚ took down the auction and explained how the company got hacked.
Making good on its promise to reveal the details to help other people avoid falling to the same vulnerability‚ Zomato have revealed what they learned.
According to a blog post on Zomato's blog‚ the process started in November 2015‚ when 000webhost’s user database was leaked online (with plain text passwords).
One of Zomato's developer’s personal hosting account was with the service‚ and so his email address and password became available to the public.
That developer was using the same email and password combination on Github. This was before Github used 2 factor authentication‚ so the hacker managed to use the developer's identity to get into one of Zomato's code repositories.
"Getting access to a part of the code didn’t give the hacker direct access to the database. Our systems are only accessible for a specific set of IP addresses. But the hacker was able to scan through the code‚ and he ended up exploiting a vulnerability in the code to access the database (via remote code execution). The piece of code which was vulnerable was a part of a deprecated system‚ and hadn’t been modified for a few years now‚" Zomato founder and CEO Deepinder Goyal said in a blog post.
Since the hack Zomato have made a special effort to make sure that bit of code can't be exploited.
"Also‚ one more thought that gives us comfort - with every passing day‚ the leaked code is getting more and more out-of-date‚" Goyal said.
While Zomato have been advised to take action against the developer‚ they have decided not to make an example of an individual.
"Instead of pinning the responsibility on someone‚ we are going to use this as a learning opportunity for all of us‚" said Goyal
- TMG Digital/TimesLIVE
Just R20 for the first month. Support independent journalism by subscribing to our digital news package. 
