Less than 24 hours after revealing a major security breach that compromised the accounts of millions of users, restaurant search service Zomato has revealed that it has engaged with the hacker responsible and has agreed to meet certain conditions in exchange for the stolen data being removed from the dark web.

To recap, India-based Zomato, which claims around 120 million users each month, revealed yesterday that around 17 million email addresses and hashed passwords had been stolen, but it later clarified that 60 percent of those accounts actually used third-party OAuth services to log-in, such as Facebook and Google. But that still left around 7 million users vulnerable, particularly if they used the same email / password combination on other services.

Though Zomato had sought to assure the affected users that their passwords could not easily be decrypted, it seems that was not necessarily the case, with some security experts claiming they were able to decrypt some passwords relatively quickly, while others poured scorn on Zomato’s cryptographic efforts.

MD5 with a 2 char hex salt – WTF?! "Restaurant App Zomato Says Your Stolen Password Is Fine. But Is It?" https://t.co/2NBTnAdosF

— Troy Hunt (@troyhunt) May 18, 2017

The alleged hacker claiming responsibility for the hack told Motherboard that they found the vulnerability in Zomato’s infrastructure around a year back, and after reporting it to the company they heard nothing back. And so they went medieval on Zomato by posting it to the dark web for sale, leading Zomato to “open a line of communication” with the hacker, who it turns out was “very cooperative” with Zomato.

“He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps,” explained Zomato’s chief technologist, Gunja Patidar. “His/her key request was that we run a healthy bug bounty program for security researchers.”

And so that is exactly what Zomato says that it will do. Though Zomato has had an active profile on HackerOne for more than a year, it has hitherto failed to offer financial incentives for ethical hackers wishing to submit bug reports. Moving forward, that will change.

“We are introducing a bug bounty program on Hackerone very soon,” continued Patidar. “With that assurance, the hacker has in turn agreed to destroy all copies of the stolen data and take the data off the dark web marketplace. The marketplace link which was being used to sell the data on the dark web is no longer available.”

While the link to the stolen data on the dark web has been removed, there is no guarantee that the data will be destroyed, of course, but given the alleged hacker’s suggested course of action, there is every reason to suspect that it is a genuine ethical hacker at work here. And hopefully it will have the desired effect — to ensure Zomato improves its online security.

“This incident has made our team’s commitment to addressing all our security issues in a responsible and timely manner even stronger,” added Patidar. “We look forward to working more closely with the ethical hacker community, to make Zomato a safer place for our users.”

Shared From Venturebeat