Anushree Shukla

4138 Brooklyn Ave NE

Seattle, WA 98195
ashukla3@uw.edu

Zomato leaves 17 million users hangry

On May 17th 2017, Zomato, India’s leading restaurant search and discovery app service and one

of Yelp’s competitor was hacked, comprising the user credentials for over 17 million customers.

The company that was founded in India by Deepinder Goyal and Pankaj Chaddah currently

operates in 23 countries worldwide. They are dedicated to providing seamless interactions for

users to find and order from restaurants in the vicinity by providing multiple search filters such

as Cuisine, Delivery Time, Cost for Two and other Quick Filters in the quest to become the

leading food and restaurant search application worldwide (Zomato). Commented [AS1]: You need a citation here to establish
source of Zomato information.
But in the world of security, it is difficult for firms to be breach free and unfortunately

Zomato couldn't keep up either. The hack of 2017 brought Zomato on the public forefront when

the company disclosed that their system had been breached. While it was initially speculated to

be a breach caused by an employee, an update via Zomato Blogs confirmed that the hack was

carried out by hacker nClay, an ethical security researcher, to plug the gaps in Zomato’s security

infrastructure. While it is speculated that the hacker had informed Zomato of vulnerabilities in

their infrastructure before going ahead with the breach, nClay was a key player in helping

Zomato identify their weak links.

It all began on November 2015 when 000webhost, a free web hosting resource was

hacked, leaking over 13 million user-id and passwords. From the list of compromised clients was

one of Zomato’s developers that had used this service to host his personal website. While this

may not seem like a relevant linkage for the average person, it acted as the base for nClay’s hack.

What made it easier for the hacker was coming across a similar password combination for his

1
official GitHub account. This case serves as a prime example of a breach that took place because

of a previously compromised system – a commonly seen issue within the security community.

This event led the hacker to gain access to one of code repositories, which turned out to be easier

to breach than today since Zomato was not using two-factor authentication at the time. In

addition, while their systems were only accessible to a specific set of IP addresses, the hacker

was able to view the code and exploit a vulnerability to access the database via a remote code

execution. “The piece of code which was vulnerable was a part of a deprecated system, and

hadn’t been modified for a few years now” says CEO Goyal (Zomato). Luckily this leaked code

was becoming more and more outdated by the day and in addition, Zomato has also taken steps

to ensure that this code does not affect the company’s infrastructure ever again.

This event exposed the company to external fraud and information security risks. While

cases like these, for the most part, pose huge reputational risks, Zomato did a great job at saving

its reputation by being transparent and empathetic with their users. Zomato displayed an

“Effective Board Oversight” (Proviti) that minimized the threat to reputation to an appropriate

and manageable level that would instill trust back to their customers. They did this by releasing

three consecutive security updates via Zomato Blogs. The first update set the tone for the

aftermath of the event. The executives were accepting and apologetic yet strategic in telling the

users that no other sensitive data such as credit card information was stolen since they use a

secure PCI DSS (Data Security Standard) compliant vault. Although their card information was

not breached this time companies like Chipotle have suffered data breaches with the

same/similar PCI model in place. This illustrates the need for iterative and ongoing security

practices to ensure maximum protection of data security. The following update gave a run-down

reflection of how the hack went down as disclosed by the ethical hacker, with whom they shared

2
an open line of communication. Their last update in July gave their customers insight on the

details of the events as well as providing lessons learned for the greater security community. And

as a result of negotiating with the hacker, Zomato had also decided to roll out a monetary bug

bounty program on HackerOne, as a way to ensure better security practices and incentivizing the

great hacker community to join their mission. In addition, they will also host product meet-ups to

discuss different issues related in regards to security within the NCR-Delhi, India region.

As with any breach, external fraud usually makes up for major risk factors. In this case

and similar to many data breach cases, informational security was at risk. Though hacker nClay

was considered an ethical hacker (Goyal, Security Update – What really happened? And what

next?), he was an outsider that breached the system and put up the data for sale on the Dark Web Commented [DT2]: Please provide supporting references

for a price of 0.55 BTC or $1000. Though it was soon taken down, it still poses a threat to the 17

million people whose information was leaked. What makes matters worse is how unaware most

of these users are that their data can be misused in ways completely unknown to them. Which

brings us to understanding how India as a country takes matters of data security and privacy in

their hands and how India based startups like Zomato, that carry a global presence, adhere to

such regulations.

With Prime Minister Narendra Modi’s Digital India initiative (Government of India),

there has been a recent focus to innovate policies and best practices to expand the access of

digital services, knowledge and information from around the world to bring India at the

technology forefront. While India has all the right resources and educational youth to be

technologically savvy, what it currently lacks is governmental regulation around innovation

around data and security. While tech giants such as Microsoft, Google, Amazon and Facebook

have poured tremendous amounts of money into the Digital India initiative, it has also created a

3
public debate of how privacy currently functions in India. "There is an unprecedented need for

regulation regarding [how] such information can be stored, processed and used." (Iyengar)

Heated and politicized court cases against the government’s role in protection of citizens in the

digital world can cause implications for the country’s recent biometric identification program

called Aadhaar. A lot of companies including these tech giants have been able to leverage the

loose system and are speculated to have misused the system to access personal data that the

government and public now understands requires proper implemented regulations (Iyengar). This Commented [DT3]: Please provide supporting references

contextualizes why Zomato did not have government reporting or government regulations that

could have prevented this act since data privacy across companies based in India is new and

currently being formulated.

The Data Protection Law that is in the works to release this month, December 2017, will

provide a robust data protection framework to regulate and administer how international and

domestic companies use and store customer data, whilst still allowing for innovative practices.

But Zomato has an online presence and the next large part of their user base in terms of

popularity and number of locations resides in Australia.

The Australian government has a robust document of privacy principles that the country

adheres to with a special focus on different areas of security of personal information. This entire

set of regulations helps create structure to those companies that ask for personal information

from Australian citizens. “[An entity] should consider how it will protect personal information at

all stages of the information lifecycle. This should be considered before an entity collects

personal information (including whether it should collect the information at all), as well as when

the information is collected and held, and when it is destroyed or de-identified when no longer

needed.” (Australian Government). Though there were no lawsuits in the case of Zomato’s

4
breach but regulations like these set the standards and impose better security and privacy

practices both among individuals within a company and for the company as whole.

In today’s world, the breach of user credentials is seen to be very common. Even the

smallest mistakes can lead to huge catastrophes in the world of cyber security. As illustrated

throughout this paper, Zomato’s hacker was able to use the smallest vulnerability to his

advantage and expose over 17 million users, that will forever be immune susceptible to threat Commented [DT4]: Did you mean susceptible to threat as
supposed to immune to threat?
since their information is out there. But truth is, this breach wasn’t nearly as bad as some of those Commented [Office5R4]:

out there. Had Zomato not used a secure PCI Data Security Standard (DSS) compliant vault to

store its user’s payment information, then we can only imagine the uproar it would create. Not

only would it create huge a much larger security breach, but also would suffer huge reputational

risk factors that the company may not be able to come back from. Therefore, in order to mitigate

and prevent such data breaches in the future, it is important to reflect and prepare for the next

one. While that may sound strange, but in the world of security, breaches are inevitable but the

impact is in our hands.

In Zomato’s case there were several areas where things fell apart. Firstly, back in 2015,

Zomato had not set up 2 factor authentications for its company employees. This not only gave

the hacker access to view an old code repository, but it opened the doors to a set of other

vulnerabilities. Zomato caught on and implemented 2 factor authentication a couple months

before the breach which cut the hacker off their GitHub access, but by that time he was already

working off an old code base to expose a vulnerability in the company infrastructure.

This then leads us to identifying problem number two, “[n]ot understanding what their

own code truly does and how other code in their system actually works” says Ryan Satterfield,

cyber security specialist (Lord). He adds, “It's one thing to write code, but even the largest

5
companies underestimate how their program can be used by an attacker.” Most non-security

teams don’t fix bugs that they don’t understand and often restart code bases instead of cleaning

up old files. This is exactly what Zomato did and therefore suffered a large data breach. A bug

may seem minor, but attackers know how to manipulate that bug to cause major impacts and

steal information. Therefore, it is highly recommended that Zomato developers be trained in

defensive programming so that they understand security vulnerabilities and know how to prevent

them. These vulnerabilities can be identified by using static tools which can be followed by code

reviews and iterative security testing to prevent vulnerabilities during different push phases -

development and production.

The next breaking point in Zomato’s security was poor hashing practices. Zomato uses

weak MD5 hash salts that can be easily decoded using brute force (Goyal, Security Update –

What really happened? And what next?). In order to enable a more secure practice, it is Commented [DT6]: Please provide supporting references

recommended to use Hash Stretching by generating a strong random salt and feeding it into a

secure looping algorithm that will iterate the hash thousands of times. But generating an

algorithm from scratch would not be the best way to do this. Using both the PBKDF2 repeating

algorithm and the HMAC-SHA-256 hashing algorithm, will ensure that the hacker undergoes a

longer but timed offline attack that is directly proportionally to the number of times the loop is

iterated. In short, the combination of these algorithms is a key that you hash, plus the message

that you give it and then rehash a permuted version of this key plus the addition of the first hash.

“Store the iteration count, the salt and the final hash in your password database” (Ducklin).

Therefore, the only time that the password will be disclosed will be when it is correctly

authenticated or else till then it will remain in this unique hashed form. You can then increase

your iteration count to keep up with faster cracking tools.

6
 Lastly, to ensure that the company uses better access controls, it is recommended that

they add multiple layers of authorization for those areas in need of it. This can help separate the

systems even more so and allow for internal security in teams to understanding patterns and

prioritization when dealing with the next hack. “That is, knowing the processes used by the

Actors, the tools (Actions) to accomplish their goals and how many of these patterns begin with

the same or similar bag of tricks” (Bisson). These recommendations illustrate the need for

iterative and ongoing education to ensure better security practices so that such a breach in the

future is anticipated and its impacts are foreseen and minimized.

But security is a two-way street and while these recommendations will help Zomato

secure their users, it is also recommended that users take the time to understand the risk that such

a breach can cause. While most people have the same passwords across multiple accounts,

making them easier to chain and guess. Even an iteration of a password can be guessed easily in

today’s world. This is when such habits become risky in cases of breach and therefore it is

recommended to use cloud password managers like LastPass, that ensures data encryption and

password management. Essentially services such as this hash and store your individual account Commented [DT7]: Great point

passwords to the cloud, which are only accessed and hashed back during specific authentication

portals. For example, LastPass’s chrome extension prompts the user to store a password every

new login and then throws that password back when a user returns to the same website. The

“LastPass[word]” that you need to know is the LastPass password that open the doors to your

encrypted password database.

Throughout this read if one thing is evident then it’s that security breaches are inevitable.

We will forever be in a race to keep up with the world of hackers, some of which might be

ethical while some may have other agendas. But what we can control is the effect that such an

7
event can create by practicing better security measures and planning strategic mitigation

strategies ahead of time. There are numerous cases of breaches that have taken place mostly

because of poor planning which rolls into poor execution. Though governmental regulations play

a huge role in defining the nature of different industries and sectors, it mostly comes down to the

specific organization to take ownership of their security and reap the consequences of this

ongoing battle. We hope to see Zomato learn from their security and infrastructure blunders and

look forward to seeing the next phase of their security and privacy practices.

8
Works Cited
n.d.
Agarwal, Surabhi. "Data Protection Bill To Be Passed By December: Law Minister Ravi
Shankar Prasad." n.d. The Economic Times.
<https://economictimes.indiatimes.com/news/economy/policy/data-protection-bill-to-be-
in-place-by-december-law-minister-ravi-shankar-prasad/articleshow/60227629.cms>.
Australian Privacy Principles guidelines. "Australian Privacy Principles guidelines." n.d. OAIC.
<https://www.oaic.gov.au/images/documents/privacy/applying-privacy-law/app-
guidelines/APP-guidelines-combined-set-v1.pdf>.
BISSON, DAVID. "Takeaways from the 2016 Verizon Data Breach Investigations Report."
April 2016. The State of Security. <https://www.tripwire.com/state-of-security/security-
data-protection/cyber-security/takeaways-from-the-2016-verizon-data-breach-
investigations-report/>.
BSIMM. "BSIMM." n.d. The BSIMM has launched—don’t miss the latest findings.
<https://www.bsimm.com/>.
Bureau, ET. "Zomato achieves operational milestone." n.d. Economic Times.
<https://economictimes.indiatimes.com/small-biz/startups/zomato-achieves-operational-
milestone-in-six-countries-out-of-23/articleshow/50894493.cms>.
Dowal, Pankaj. "Data protection law coming soon to tackle misuse of private info by social
media and tech giants." 24 August 2017. Times of India.
<https://timesofindia.indiatimes.com/india/data-protection-law-coming-soon-to-tackle-
misuse-of-private-info-by-social-media-and-tech-giants/articleshow/60212900.cms>.
Ducklin, Paul. "Serious Security: How to store your users’ passwords safely." n.d. Naked
Security. <https://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-
your-users-passwords-safely/>.
Goverment of India. "Digital India." n.d. Digital India. <https://www.mygov.in/group/digital-
india/>.
Goyal, Deepinder. "Security Update – What really happened? And what next?" 23 May 2017.
Zomato. <https://www.zomato.com/blog/security-update-what-really-happened-and-
what>.
—. "Security Update – What really happened? And what next?" n.d. Zomato. <
https://www.zomato.com/blog/security-update-what-really-happened-and-what>.
Iyengar, Rishi. "Privacy is now a right in India. Here's what that means for the tech industry."
August 2017. CNN. <http://money.cnn.com/2017/08/29/technology/india-right-to-
privacy-tech-industry-aadhaar/index.html>.
Kerner, Sean Michael. "Chipotle Breach Exposes Continued Point-of-Sale Cyber-Security
Risks." 30 May 2017. eWeek. December 2017. <Chipotle Breach Exposes Continued
Point-of-Sale Cyber-Security Risks>.
LastPass. "LastPass." n.d. LastPass. <https://www.lastpass.com/>.
Lord, Nate. "AN EXPERT GUIDE TO SECURING SENSITIVE DATA: 34 EXPERTS
REVEAL THE BIGGEST MISTAKES COMPANIES MAKE WITH DATA
SECURITY." n.d. Digital Guardian. <https://digitalguardian.com/blog/expert-guide-
securing-sensitive-data-34-experts-reveal-biggest-mistakes-companies-make-data>.
Protiviti. "
https://www.protiviti.com/sites/default/files/united_states/insights/board_perspectives_-
_risk_oversight_-_issue_83_-_board_oversight_of_reputation_risk.pdf." 2012. Protiviti.

9
 <https://www.protiviti.com/sites/default/files/united_states/insights/board_perspectives_-
_risk_oversight_-_issue_83_-_board_oversight_of_reputation_risk.pdf>.
PWC. "Proactively managing major data-breach risks." September 2017. PWC.
<https://www.pwc.com/us/en/cybersecurity/broader-perspectives/proactively-managing-
data-breach-risks.html>.
Rai, Saritha. "Asia FEB 8, 2016 @ 02:21 AM 17,135 The Little Black Book of Billionaire
Secrets Food Startup Zomato Is India's First E-Commerce Unicorn To Break Even,
Headed For Profitability." n.d. Forbes. <
https://www.forbes.com/sites/saritharai/2016/02/08/food-startup-zomato-is-indias-first-
unicorn-to-break-even-headed-for-profitability-by-mid-2016/#c2b067a4ba8f >.
Synopsys. "Synopsys." n.d. Synopsys. <https://www.synopsys.com/software-
integrity/training/software-security-courses.html>.
The Centre for Internet & Society. "Internet Privacy in India." 2016. The Centre for Internet &
Society. < https://cis-india.org/telecom/knowledge-repository-on-internet-access/internet-
privacy-in-india >.
Zomato. "Zomato." n.d. Zomato. <https://www.zomato.com/>.

Agarwal, Surabhi. "Data Protection Bill To Be Passed By December: Law Minister Ravi
Shankar Prasad." n.d. The Economic Times.
<https://economictimes.indiatimes.com/news/economy/policy/data-protection-bill-to-be-
in-place-by-december-law-minister-ravi-shankar-prasad/articleshow/60227629.cms>.
Australian Privacy Principles guidelines. "Australian Privacy Principles guidelines." n.d. OAIC.
<https://www.oaic.gov.au/images/documents/privacy/applying-privacy-law/app-
guidelines/APP-guidelines-combined-set-v1.pdf>.
BISSON, DAVID. "Takeaways from the 2016 Verizon Data Breach Investigations Report."
April 2016. The State of Security. <https://www.tripwire.com/state-of-security/security-
data-protection/cyber-security/takeaways-from-the-2016-verizon-data-breach-
investigations-report/>.
BSIMM. "BSIMM." n.d. The BSIMM has launched—don’t miss the latest findings.
<https://www.bsimm.com/>.
Bureau, ET. "Zomato achieves operational milestone." n.d. Economic Times.
<https://economictimes.indiatimes.com/small-biz/startups/zomato-achieves-operational-
milestone-in-six-countries-out-of-23/articleshow/50894493.cms>.
Dowal, Pankaj. "Data protection law coming soon to tackle misuse of private info by social
media and tech giants." 24 August 2017. Times of India.
<https://timesofindia.indiatimes.com/india/data-protection-law-coming-soon-to-tackle-
misuse-of-private-info-by-social-media-and-tech-giants/articleshow/60212900.cms>.
Ducklin, Paul. "Serious Security: How to store your users’ passwords safely." n.d. Naked
Security. <https://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-
your-users-passwords-safely/>.
Goverment of India. "Digital India." n.d. Digital India. <https://www.mygov.in/group/digital-
india/>.
Goyal, Deepinder. "Security Update – What really happened? And what next?" 23 May 2017.
Zomato. <https://www.zomato.com/blog/security-update-what-really-happened-and-
what>.

10
—. "Security Update – What really happened? And what next?" n.d. Zomato. <
https://www.zomato.com/blog/security-update-what-really-happened-and-what>.
Iyengar, Rishi. "Privacy is now a right in India. Here's what that means for the tech industry."
August 2017. CNN. <http://money.cnn.com/2017/08/29/technology/india-right-to-
privacy-tech-industry-aadhaar/index.html>.
Kerner, Sean Michael. "Chipotle Breach Exposes Continued Point-of-Sale Cyber-Security
Risks." 30 May 2017. eWeek. December 2017. <Chipotle Breach Exposes Continued
Point-of-Sale Cyber-Security Risks>.
LastPass. "LastPass." n.d. LastPass. <https://www.lastpass.com/>.
Lord, Nate. "AN EXPERT GUIDE TO SECURING SENSITIVE DATA: 34 EXPERTS
REVEAL THE BIGGEST MISTAKES COMPANIES MAKE WITH DATA
SECURITY." n.d. Digital Guardian. <https://digitalguardian.com/blog/expert-guide-
securing-sensitive-data-34-experts-reveal-biggest-mistakes-companies-make-data>.
Protiviti. "
https://www.protiviti.com/sites/default/files/united_states/insights/board_perspectives_-
_risk_oversight_-_issue_83_-_board_oversight_of_reputation_risk.pdf." 2012. Protiviti.
<https://www.protiviti.com/sites/default/files/united_states/insights/board_perspectives_-
_risk_oversight_-_issue_83_-_board_oversight_of_reputation_risk.pdf>.
PWC. "Proactively managing major data-breach risks." September 2017. PWC.
<https://www.pwc.com/us/en/cybersecurity/broader-perspectives/proactively-managing-
data-breach-risks.html>.
Rai, Saritha. "Asia FEB 8, 2016 @ 02:21 AM 17,135 The Little Black Book of Billionaire
Secrets Food Startup Zomato Is India's First E-Commerce Unicorn To Break Even,
Headed For Profitability." n.d. Forbes. <
https://www.forbes.com/sites/saritharai/2016/02/08/food-startup-zomato-is-indias-first-
unicorn-to-break-even-headed-for-profitability-by-mid-2016/#c2b067a4ba8f >.
Synopsys. "Synopsys." n.d. Synopsys. <https://www.synopsys.com/software-
integrity/training/software-security-courses.html>.
The Centre for Internet & Society. "Internet Privacy in India." 2016. The Centre for Internet &
Society. < https://cis-india.org/telecom/knowledge-repository-on-internet-access/internet-
privacy-in-india >.
Zomato. "Zomato." n.d. Zomato. <https://www.zomato.com/>.

11