A Popular Restaurant App Says 17 Million Customer Emails and Passwords Were Stolen

Credit-card info should be safe, but it can’t hurt to change that log-in password.

Zomato, a restaurant-listing service used by over 120 million people each month, warns that about 17 million user records have been stolen by hackers. In a notice posted to the company blog last night, chief technologist Gunja Patidar says their security team discovered “an internal (human) security breach” in Zomato’s database, after “some employee’s development account got compromised.” That team is now busy “scanning all possible breach vectors,” but Patidar notes that, on the glass-half-full side, all the thieves got were email addresses and encrypted passwords. The passwords were already hashed as a security precaution, meaning that they were stored as a random string of characters with no relation, more or less, to users’ real passwords.

In addition to this safeguard, Zomato adds that users’ payment info is safely kept somewhere else, so it wasn’t affected by the attack. The company also automatically logged all affected users out of their accounts and reset their passwords, but it advises everyone to change the log-ins to any online accounts that contain that same password. The India-based company isn’t as ubiquitous in America as Yelp or Grubhub, but does reviews, as well as online orders, so it actually competes with both. It’s also worth at least $500 million, ever since acquiring Urbanspoon in 2015 to expand its U.S. presence.

The company promises that it’s “actively working to plug any more security gaps that we find in our systems” in the next couple of days.

Zomato Says 17 Million Customer Accounts Were Hacked