Update #2:Zomato has issued another security update, stating that the hacker has agreed to delete the user data and take the listing down. Zomato settled the breach by promising the hacker that there will be a well-funded bug bounty program run on Hackerone, a bug bounty platform.
“The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers.” wrote Gunjan Patidar, Zomato CTO in a blog post posted an hour ago.
“We are introducing a bug bounty program on Hackerone very soon. With that assurance, the hacker has, in turn, agreed to destroy all copies of the stolen data and take the data off the dark web marketplace. The marketplace link which was being used to sell the data on the dark web is no longer available.“
FactorDaily can confirm that the dark web link is down. The post goes on to say that “only 5 data points were exposed – user IDs, Names, Usernames, Email addresses, and Password Hashes with salt.”
Update #1: Zomato has updated its blog post after Troy Hunt, an Australian security expert, questioned its earlier claim that a “hashed password cannot be converted/decrypted back to plain text — so the sanctity of your password is intact in case you use the same password for other services.”
In reply, Gunjan Patidar of Zomato, who had written the earlier blog post, changed this to: “We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text. We however, strongly advise you to change your password for any other services where you are using the same password.”
Earlier this para read: “The hashed password cannot be converted/decrypted back to plain text – so the sanctity of your password is intact in case you use the same password for other services. But if you are paranoid about security like us, we encourage you to change your password for any other services where you are using the same password.”
In an email exchange with FactorDaily, Hunt said he will be making this breach searchable on his service, HaveIbeenpwned, if he sees the dump in data breach trading circles. The website allows a user to check if an email has been compromised in a data breach.
“The way hashes are broken is they’re ‘cracked’, which usually means taking a whole bunch of possible passwords and then computing them with the same hashing algorithm and comparing them to the ones taken from a system,” said Hunt. Depending on how fast the hashing algorithm is (slow ones are better because it means hashes take longer to crack), and also depending on the strength of the passwords people used, it can be trivial, he added.
“Weak hashing algorithms can be calculated at tens of billions of times per second on consumer hardware, which means it’s easy to make a lot of guesses as to what a password may be. Zomato have actually just revised their statement following my tweet to give more accurate advice and also refer to ‘iterative hashing’, which means using many calculations to slow it down. They don’t provide any more detail (which algorithm, how many hashes), but certainly as a matter of caution you should always advise people to change their password anyway.”
Others, such as CIS Policy Director Pranesh Prakash, had also asked what method Zomato had used to hash its passwords.
@factordaily @Zomato What algorithm was used for hashing of the passwords? Important to know…
— Pranesh Prakash (@pranesh) May 18, 2017
According to the seller, ‘nclay’, the hashing algorithm used to secure the passwords at Zomato is MD5. Initially designed to be a cryptographic hashing function, MD5 (Message Digest algorithm 5) is known to be vulnerable to brute force attacks.
Initially designed to be a cryptographic hashing function, MD5 (Message Digest algorithm 5) is known to be vulnerable to brute force attacks.