The Zomato hack in which 17 million user records were stolen from its database is being contained by the company as it revealed it has gotten in touch with the hacker. Described as "very cooperative" by Zomato, the hacker has asked the company to run "a healthy bug bounty program for security researchers", a request that it has accepted. When the company first admitted to the hack, it said the users' email addresses and hashed passwords had been stolen, but no credit card information as that was stored separately.
In a fresh blog post, Zomato says "We are introducing a bug bounty program on Hackerone very soon. With that assurance, the hacker has in turn agreed to destroy all copies of the stolen data and take the data off the dark Web marketplace. The marketplace link which was being used to sell the data on the dark Web is no longer available."
Zomato reiterated that only user IDs, names, usernames, email addresses, and password hashes with salt were leaked, but since the password can be cracked using brute force techniques, it will be getting in touch with the 6.6 million users whose password hashes were leaked to advise them to change their password on all services where they use the same password.
"The hacker also gave us all the details on the way he/she got access to this database. We will post this information on our blog once we close the loopholes, so that others can learn from our mistakes," an indication that there might be loopholes other than what the hacker already exploited, ones that the company is looking to fix.
"We look forward to working more closely with the ethical hacker community, to make Zomato a safer place for our users," the company added.