Here's Zomato's Explanation On How It Was Hacked

Online food aggregator Zomato recently surfaced in a major security breach where over 17 millions user records were compromised. As per Zomato, which has nearly 120 million users, the payment data was stored separately from the stolen data, and that no payment information or credit card data has been stolen. "As it turned out, the hacker was a security researcher (ethical hacker) who had put up the data for sale to get our attention (and/or to teach us a lesson)," Zomato said in a blogpost.

The app-based food ordering firm also revealed the process of how the hacker accessed its data. "It all started in November 2015, when 000webhost's user database was leaked online (with plain text passwords). One of our developers had his personal hosting account with the service. As a result of 000webhost's user account data breach, his email address and password also became available publicly. 

"Unfortunately, the developer was using the same email and password combination on Github. Back then, when 000webhost passwords leaked, we were not using 2 factor authentication on Github (we have been using two-factor authentication on Github since the last few months). With the login credentials for the developer, the hacker was able to use the developer's password to get into his Github account and review one of our code repositories to which the developer had access (this happened some time last year, but for some reason the hacker only exploited the code very recently)," the blogpost added.

Zomato said that they were fortunate enough to resolve this with "minimal damage". "This incident taught us a good lesson on the importance of security and how we have to be paranoid about it going forward," the blogpost further stated.

However, Zomato assured the users that their accounts have been secured now, but this incident does question that how much of the private data available to the companies are safe?