The restaurant search and discovery service Zomato, which boasts more than 120 million users per month, recently announced that its security team discovered that approximately 17 million user IDs, names, user names, email addresses and hashed passwords were stolen from its database.
"We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password," the company stated. "This means your password cannot be easily converted back to plain text. We however strongly advise you to change your pasword for any other services where you are using the same password."
All affected users' passwords have been reset, and the company says all payment information is stored in a separate database that wasn't impacted by the breach.
In an update, Zomato stated that hacker, who had put the user data up for sale, had agreed to destroy all copies of the stolen data and take it off the market. "The marketplace link which was being used to sell the data on the dark Web is no longer available," the company said.
The hacker wanted the company to acknowledge its security vulnerabilities and launch a bug bounty program -- and Zomato says it's planning to introduce a bug bounty program on HackerOne "very soon."
The hacker also provided detailed information on how the database was accessed, which the company says it will make publicly available once all loopholes are closed, "so that others can learn from our mistakes."
"Having said that, we are going to be cautious and paranoid, as this is a sensitive matter," the company added. "6.6 million users had password hashed in the 'leaked' data, which can be theoretically decrypted using brute force algorithms. We will be reaching out to these users to get them to update their password on all services where they might have used the same password."
Brand Impact of a Breach
According to a recent Ponemon Institute study on the brand impact of a data breach, breached companies' stock value declined by an average of five percent on the day a data breach was disclosed, and experienced up to a seven percent customer churn.
The survey, sponsored by Centrify, also found that 31 percent of consumers impacted by a data breach said they had discontinued their relationship with the breached organization, and 65 percent said they had lost trust in that organization.
Still, 45 percent of IT practitioners surveyed don't believe brand protection is taken seriously in the C-suite.
While 80 percent of consumers surveyed said organizations have an obligation to take reasonable steps to secure their personal information, just 65 percent of CMOs and 64 percent of IT professionals agree.
Similarly, while 70 percent of consumers think organizations have an obligation to control access to their information, less than half of CMOs and IT security practitioners agree.
Fifty-six percent of IT practitioners aren't confident they have the ability to prevent, detect, and resolve the consequences of a data breach, and more than half worry that a data breach would cost them their job.
Centrify CEO Tom Kemp said in a statement that the findings should serve as a wakeup call to every organization that security isn't just about protecting data -- it's about protecting the business.
"It is no longer just an IT problem -- it must be elevated to the C-suite and boardroom because it requires a holistic and strategic approach to protecting the whole organization," Kemp said.