The hacker was a security researcher who had put up the data for sale to get Zomato’s attention and apparently teach it a lesson

Last Thursday, online restaurant listing and food ordering platform Zomato revealed that about 17 million of its user records were stolen from its database. The stolen information included names, emails, numeric user IDs, usernames, and password hashes. The payment information or credit card data was not leaked, as this was stored separately in a highly secure compliant vault, the company had said.

Yesterday, Zomato CEO Deepinder Goyal narrated the story behind the data breach in another blog post. He also revealed that Zomato has identified the person behind the attack, who happened to be a security researcher and ethical hacker. 

The hacker had listed these data points on a dark web marketplace, apparently to teach Zomato a lesson.

“We were lucky we could get in touch with the person (hacker) in good time. As it turned out, the hacker was a security researcher (ethical hacker) who had put up the data for sale to get our attention (and/or to teach us a lesson). He/she only wanted us to launch a good bug bounty program on Hackerone, as he/she wanted to make sure that security researchers were rewarded well for their work. The hacker also shared the database with us and took the sales link down once we promised to launch the bug bounty program. He/she also agreed to destroy the data at their end immediately,” Goyal said in the post.

Also Read: Zomato launches cloud-based POS system for Indian restaurants

According to the CEO, the hacker explained to him how he/she managed to breach Zomato’s infrastructure to access a part of its database.

“It all started in November 2015, when 000webhost’s (a free web hosting platform) user database was leaked online (with plain text passwords). One of our developers had his personal hosting account with the service. As a result of 000webhost’s user account data breach, his email address and password also became available publicly.

Unfortunately, the developer (at Zomato) was using the same email and password combination on Github. Back then, when 000webhost passwords leaked, we were not using two-factor authentication on Github (we have been using two-factor authentication on Github since the last few months). With the login credentials for the developer, the hacker was able to use the developer’s password to get into his Github account and review one of our code repositories to which the developer had access (this happened some time last year, but for some reason the hacker only exploited the code very recently),” he explained.

Getting access to a part of the code didn’t give the hacker direct access to the database. Our systems are only accessible for a specific set of IP addresses. But the hacker was able to scan through the code, and he ended up exploiting a vulnerability in the code to access the database (via remote code execution). The piece of code which was vulnerable was a part of a deprecated system, and hadn’t been modified for a few years now,” the post reads.

Also Read: Zomato ID Country Manager: “We have already reached break-even in 6 countries”

Goyal added that Zomato has taken every step conceivable to make sure that the code cannot be exploited in any way possible to breach the company’s infrastructure. “While this is a case of extraordinarily bad luck, we were fortunate enough to resolve this with minimal damage. This incident taught us a good lesson on the importance of security and how we have to be paranoid about it going forward.”

Zomato claims that the data breach was limited to only one part of Zomato’s database, and the hacker did not gain access to all the various databases used by different businesses. “Keeping lines of communication open with the hacker helped us understand his/her motive of the breach and address his/her (very reasonable) demands. This in turn, led to the hacker cooperating with us by pulling down the sales listing from the dark web,” he noted.

Goyal signed off the post by saying: “Last thing – we have since been advised by multiple industry experts to take some action against the developer, in order to “set an example” and “influence public perception”. We know that this mishap is on the organisation, and not on an individual. Instead of pinning the responsibility on someone, we are going to use this as a learning opportunity for all of us.”

—

Want to be part of the ecosystem?

Register for your Echelon Asia Summit access pass now! Enjoy additional 10% discount on Echelon Asia Summit Startup, Investor and Corporate passes just for being our favourite 27 reader: e27.co/echelon/asia/register/?code=EMPOWER10

The post Zomato CEO Deepinder Goyal explains how a hacker stole 17M user records appeared first on e27.