Restaurant search service Zomato hacked, says 17 million customer email addresses and passwords stolen

Restaurant search service Zomato is the latest in a long line of companies to be hacked. The company has revealed that millions of its customer accounts were accessed, with email addresses and hashed passwords stolen.

Zomato, which claims 120 million users each month, said that around 17 million accounts are affected, though it has asserted that financial information and other personal details remain safe. The company also said that the passwords should be safe because that they were hashed, meaning they are essentially a random string of characters that bear no relation to the actual password they conceal.

Though Zomato said that it has automatically reset passwords on the affected accounts, as a precaution users should change their passwords on any other online accounts that use the same password / email address combination.

“We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password,” explained Zomato’s chief technologist, Gunja Patidar, in a blog post. “This means your password cannot be easily converted back to plain text. We however, strongly advise you to change your password for any other services where you are using the same password.”

Founded out of India in 2008, Zomato now operates across dozens of countries, serving up restaurant-focused information such as menus, photos, and locations, while users can submit reviews and ratings similar to those on Yelp. The company has raised more than $240 million in VC funding, including a $20 million round last month from such notable investors as Sequoia Capital.

The company expanded into the U.S. in 2015 with the acquisition of Urbanspoon. However, shortly afterward news emerged that Zomato was laying off many of its U.S. employees and was refocusing its efforts in regions where it was already a market leader. Zomato expanded into real-time delivery-tracking for restaurants with the acquisition of Sparse Labs in September.

The company hasn’t given a definitive reason for this data breach but said that it appears to have been an “internal human security breach” in which an employee’s development account was compromised.

This latest breach follows a string of high-profile security breaches, including the now world-famous WannaCry virus, which exposed millions of systems globally.

Elsewhere, the likes of Yahoo, LinkedIn, Tumblr, and Daily Motion all hit the headlines last year for customer information leaks. And earlier this week DocuSign revealed that a database containing customer email addresses was accessed by hackers after a phishing scam, while Canadian communications giant Canada Bell said that nearly two million of its customer email addresses were stolen.

As for Zomato, the company is adamant that the extent of its data breach should be limited.

“Since we have reset the passwords for all affected users and logged them out of the app and website, your Zomato account is secure,” added Patidar. “Your credit card information on Zomato is fully secure, so there’s nothing to worry about there. Over the next couple of days and weeks, we’ll be actively working to plug any more security gaps that we find in our systems.”