Cyber Incident Victim: Zomato
Date:
May 2017
Location:
India
Summary
Zomato suffered a data breach where approximately 17 million user records, including email addresses and hashed passwords, were stolen due to an internal human security breach involving a compromised employee development account. The company reset passwords and logged out affected users, with no payment information compromised as it is stored separately in a secure vault. Security enhancements, such as added authorization for internal data access, are being implemented to prevent future incidents.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2017, the cybersecurity community became aware of a significant data breach affecting Zomato when HackRead identified a vendor on a Dark Web marketplace using the handle “nclay” who was offering for sale the data of 17 million Zomato users. The vendor set a price of approximately USD 1,001.43 for the complete database, which primarily contained user email addresses and password hashes. To substantiate the claim, “nclay” publicly shared a sample of the stolen data. HackRead researchers verified the legitimacy of this sample by confirming that every listed account was valid and existed on Zomato’s platform, and by successfully triggering password reset emails to addresses within the sample, proving their association with active Zomato accounts. The hacker explicitly stated to HackRead that the data had been stolen during that same month, May 2017. Upon discovering the sale, HackRead contacted Zomato directly, providing the sample data and requesting confirmation of a breach, but the company had not responded by the time of the article's initial publication. This incident occurred despite Zomato maintaining an existing bug bounty program, which at the time offered only Hall of Fame recognition or certificates for reported vulnerabilities, and followed a previous security incident in 2015 where an ethical hacker had identified a critical flaw in Zomato’s data recall system.
Following HackRead's report, Zomato officially acknowledged the breach in a blog post published approximately seven hours after the article's release, confirming the hacker's claims. The company stated that approximately 17 million user records had been stolen from its database, comprising email addresses and hashed passwords. Zomato explained that passwords were protected using a one-way hashing algorithm with multiple iterations and individual salts per password, making reversal to plaintext difficult. Crucially, the company assured users that all payment-related information, including credit card data, was stored separately in a PCI DSS compliant vault and was not compromised. As an immediate containment measure, Zomato reset the passwords for all affected users and forcibly logged them out of both the website and mobile application. The company's internal investigation initially pointed to an internal human security breach, specifically the compromise of an employee's development account, as the likely vector. Zomato outlined subsequent actions, including actively scanning for and closing other potential breach gaps, enhancing overall database security measures, and adding an extra layer of authorization for internal teams accessing user data to prevent a recurrence. The breach impacted a user base that, at the time, included over 120 million monthly visitors, highlighting the substantial scale of the incident and the company's responsibility to safeguard the personal information entrusted to it.