+

Cookies on the Business Insider India website

Business Insider India has updated its Privacy and Cookie policy. We use cookies to ensure that we give you the better experience on our website. If you continue without changing your settings, we\'ll assume that you are happy to receive all cookies on the Business Insider India website. However, you can change your cookie setting at any time by clicking on our Cookie Policy at any time. You can also see our Privacy Policy.

Close
HomeQuizzoneWhatsappShare Flash Reads
 

Here’s how Zomato was hacked

May 24, 2017, 11:34 IST
Online food ordering service Zomato was hacked and data, including e-mail addresses and hashed passwords, of 17 million users was stolen during the security breach.
Advertisement

However, the hacker had reportedly taken off the information from the dark web marketplace and reached a compromise with Zomato.

Deepinder Goyal, founder of Zomato, had said he would reveal the details how the website was hacked and launch a bug bounty program on Hackerone.

In a blogpost, Zomato revealed how the website was hacked.

“The hacker explained to us how he/she was able to breach our infrastructure to access a part of our database. It all started in November 2015, when 000webhost’s user database was leaked online (with plain text passwords). One of our developers had his personal hosting account with the service. As a result of 000webhost’s user account data breach, his email address and password also became available publicly,” the blog stated.

Advertisement

It stated, unfortunately, the developer was using the same email and password combination on Github. “Back then, when 000webhost passwords leaked, we were not using 2 factor authentication on Github (we have been using two-factor authentication on Github since the last few months). With the login credentials for the developer, the hacker was able to use the developer’s password to get into his Github account and review one of our code repositories to which the developer had access (this happened some time last year, but for some reason the hacker only exploited the code very recently),” the blog read.

“Getting access to a part of the code didn’t give the hacker direct access to the database. Our systems are only accessible for a specific set of IP addresses. But the hacker was able to scan through the code, and he ended up exploiting a vulnerability in the code to access the database (via remote code execution). The piece of code which was vulnerable was a part of a deprecated system, and hadn’t been modified for a few years now,” the blog stated signed by Goyal.

You are subscribed to notifications!
Looks like you've blocked notifications!
Next Article