Nifty99000 100%

Sensex99000 100%

Article rating: No rating
Article rating: No rating
Article rating: No rating
Article rating: No rating
Article rating: No rating
Article rating: No rating
Article rating: No rating
Article rating: No rating
Article rating: No rating
Article rating: No rating
Article rating: 4.0
Article rating: 5.0
Article rating: 3.3
Article rating: 5.0
Article rating: 4.0
Article rating: No rating
RSS

News

Nearly 17 mn Zomato users’ stolen data now being sold online

Author: IANS/Wednesday, May 17, 2017/Categories: National, Technology

Nearly 17 mn Zomato users’ stolen data now being sold online

 According to information shared on Hackeread.com, a user by the name of "nclay" claimed to have hacked Zomato.
 
 "The database includes emails and password hashes of registered Zomato users while the price set for the whole package is USD 1,001.43 (BTC 0.5587). The vendor also shared a trove of sample data to prove that the data is legit," the report said.
 
 "The data was stolen this month and this year, May 2017," hacker told HackRead.
 
 Zomato, that has over 120 million users, however said that all the payment records were safe.
 
 "No payment information or credit card data has been stolen/leaked. Payment related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault," the company wrote in a blog post.
 
 "So far, it looks like an internal (human) security breach -- some employee's development account got compromised," the post said.
 
 Zomato said it has reset the passwords for all affected users and logged them out of the app and website. 
 
 "The hashed password cannot be converted/decrypted back to plain text -- so the sanctity of password is intact in case users' use the same password for other services," the blog post read.
 
 But users who have a habit to apply the same password at many places are at major risk as hackers can also get into other accounts like on social media or emails, experts warned.
 
 In general, when someone hacks and copies the data of a website, he copies much more than just the email and the password as in most cases, it's the same database that is used to store other personal identifiable information (PII) of a user. 
 
 "It is a good thing to see that Zomato was following a good practice of hashing the passwords before storing it on their database, but saying "The hashed password cannot be converted/decrypted back to plain text" is misleading," Saket Modi, CEO and Co-founder of Delhi-based IT risk assessments provider Lucideus, told IANS. 
 
 "Technically what they are saying is correct, i.e. a hashed password cannot be decrypted, but what they aren't saying is -- it is technically possible to break the hashing algorithm to guess the passwords. This has happened in the past," Modi informed.
 
 Over 170 million LinkedIn accounts that were hacked were actually hashed and stored, however, the hashing function used there was the weak Secure Hash Algorithm 1 (SHA1) without the usage of any modification (salting). 
 
 Hence, almost all the hacked and hashed accounts were broken. 
 
 "In fact, this is the probable reason why Facebook CEO Mark Zuckerberg's Twitter and Pinterest account was also compromised in 2016 as he apparently was using the same password as his LinkedIn account whose password became public after the hack," Modi told IANS. 
 
 "Zomato must tell its users the hashing algorithm it was using before the hack happened," the cyber security expert suggested.
 
 According to Zomato, the team was actively scanning all possible breach vectors and closing any gaps.
 
 "Over the next couple of days and weeks, the company will further enhance security measures for all user information stored within our database and will add a layer of authorisation for internal teams having access to this data to avoid the possibility of any human breach," Zomato said.
 
 This is not the first time that Zomato has been hacked. 
 
 In 2015, the company was hacked by a white hat hacker who reported the details back to the company which later addressed the weaknesses.
 

Print Rate this article:
No rating

Number of views (164)/Comments (0)

S Vijaykrishnan
S Vijaykrishnan

IANS

Other posts by IANS
Contact author

Leave a comment

Name:
Email:
Comment:
Add comment

Name:
Email:
Subject:
Message:
x

Videos

Ask the Finapolis.

I'm not a robot
 
Dharmendra Satpathy
Col. Sanjeev Govila (retd)
Hum Fauji Investments
 
The Finapolis' expert answers your queries on investments, taxation and personal finance. Want advice? Submit your Question above
Want to Invest
 
 

Categories

Disclaimer

The technical studies / analysis discussed here can be at odds with our fundamental views / analysis. The information and views presented in this report are prepared by Karvy Consultants Limited. The information contained herein is based on our analysis and upon sources that we consider reliable. We, however, do not vouch for the accuracy or the completeness thereof. This material is for personal information and we are not responsible for any loss incurred based upon it. The investments discussed or recommended in this report may not be suitable for all investors. Investors must make their own investment decisions based on their specific investment objectives and financial position and using such independent advice, as they believe necessary. While acting upon any information or analysis mentioned in this report, investors may please note that neither Karvy nor Karvy Consultants nor any person connected with any associate companies of Karvy accepts any liability arising from the use of this information and views mentioned in this document. The author, directors and other employees of Karvy and its affiliates may hold long or short positions in the above mentioned companies from time to time. Every employee of Karvy and its associate companies is required to disclose his/her individual stock holdings and details of trades, if any, that they undertake. The team rendering corporate analysis and investment recommendations are restricted in purchasing/selling of shares or other securities till such a time this recommendation has either been displayed or has been forwarded to clients of Karvy. All employees are further restricted to place orders only through Karvy Consultants Ltd. This report is intended for a restricted audience and we are not soliciting any action based on it. Neither the information nor any opinion expressed herein constitutes an offer or an invitation to make an offer, to buy or sell any securities, or any options, futures or other derivatives related to such securities.

Subscribe For Free

Get the e-paper free