by Nirmal John
The email was from a blogger at the Milan-based security blog, HackRead. Patidar opened it and started reading. As his eyes took in the words, he could feel his heart pounding and his breath becoming heavier. The blogger claimed that a large cache of Zomato’s user data had been listed, available to anyone paying the asking price, on a marketplace on the dark web.
The HackRead blogger had stumbled across this new listing for the data of 17 million people from Zomato, prompting him to connect with the company on the email ID reserved for matters of security. The blogger had reached out for Zomato’s reaction on the revelation as he was going to post about the breach on HackRead.
The dark web is essentially a grouping of sites on the Internet that require specialized tools to access them. Short for The Onion Router, the TOR browser is the most popular tool used to access sites on the dark web that are hidden away from the eyes of the normal Chrome and Firefox users of the Interwebs. While the dark web has become synonymous with illegal activity like selling of drugs and child pornography, it has been an important force in fighting censorship and enabling whistle-blowing.
Almost everything that happens in the world of breaches and hacking invariably pops up, either in forums or in marketplaces on the dark web. Patidar knew that bloggers documenting the security business often hang around the marketplaces on the dark web. That’s usually where they got the breaking news on security breaches.
The mail didn’t specify the nature of the data or even the name of the marketplace where it was listed. But the import of what it said spooked Patidar. He would have to check for himself and see if the information the blogger shared was true; and if it indeed was and the company data was up for sale, it would be terrible news.
He gathered a few of the key names at Zomato—Deepinder Goyal, the founder and CEO, Shrey Sinha, in charge of Zomato’s Internet infrastructure, and Pradyot Ghate, associate vice president—and walked them into a small conference room and shut the door. He quickly briefed them on the email before powering up TOR.
Even if you’re connected to the dark web through TOR, it is not the easiest of places to find the stuff you want if you don’t know where to look. It is not exactly built keeping discoverability and search-ability in mind.
Patidar and the others in the war room had to be patient as they didn’t know the name of the site where the blogger had seen the data listed for sale. That meant they had to crawl through the various top marketplaces on the dark web, examining page after page of recent listings.
Hansa Market is among the relatively well-designed dark web marketplaces. The layout of most marketplaces, and indeed of most sites on the dark web, tends to be functional at best. Those behind the development of Hansa Market had clearly taken in some of the user interface cues from e-commerce, and that helped it look better and friendlier to use than many of the other dark web platforms. The right side of the site has the first-level navigation menu detailing the categories of ‘merchandise’ available on Hansa Market, from drugs to fraud related to erotica to counterfeits.
Hansa Market is highly rated for security. Users swear by the platform and its features that strive to ensure that the users’ crypto-currency transactions are secure both for the buyer and seller. This means that while Hansa Market is certainly not the biggest of its type on the dark web, it is generally talked about as among the more trustworthy ones out there, having put up systems in place to ensure that the buyer gets what he ordered and the seller gets paid correctly.
Hansa Market was taken down in a global operation headlined by the Federal Bureau of Investigation (FBI), the US Drug Enforcement Agency (DEA) and the Dutch National Police, along with Europol in July 2017.2
But in May the third largest marketplace on the dark web was alive and well. Hansa Market was where Zomato found the listing. It had taken a while, but Patidar and the rest of Zomato’s team that was in the room had finally stumbled on to something they were hoping wouldn’t be there.
Zomato Database Breach (17 million entries, md5 encryption)
USD 1001.45 (Including 1.45 Transaction Fee)
B 0.5521
There was even the Zomato logo and a screenshot of some of the data accompanying the listing.
Patidar was angry, confused, scared and discombobulated. There was so much that was unknown. He didn’t know how nclay, the seller who had put up the listing, had got hold of the data; neither did he know what else the intruder had taken from the system. Was it the result of a failure of internal access control or was it an external attack?
He vividly remembers the struggle in his mind, the conflicting forces of anger and the need to keep a calm mind. ‘You’re angry because you don’t know the impact it can have on the entire company or the users. But you have to stay calm. Only then will you be able to logically think about what your reaction should be to this. The important bit is to figure out what happened and how it happened.’ The more information he had, the better he could strategize his next steps.
The first thing that had to be done was to quickly confirm that what was up was indeed real user data. This they could do by simply comparing the sample data in the listing to Zomato’s own database. That didn’t take much time. The data in the sample screen shot was soon confirmed to be authentic.
What was up for grabs to anyone to buy included the emails and password hashes of users of Zomato who had signed up using their email IDs rather than the third-party log-in services provided by Facebook and Google. The passwords in the document were the encrypted or hashed values and not the actual passwords themselves. Those who had access to the document could not immediately figure out the exact passwords, but all they had to do was to decrypt the meaningless, jumbled string of characters.
Unfortunately, this could prove remarkably easy in this case because the hashing protocol used—Message Digest algorithm 5 algorithm, short for MD5—is generally considered as among the more basic forms of encryption, having been invented by cryptographer Professor Ronald Rivest way back in 1991.
While Zomato did salt the hashes—salting meant the addition of extra values to the hashed password to make it a little more complex to decrypt—it wasn’t impossible to untangle them. You could still decrypt by using brute force algorithms that would try all possible combinations in quick succession. Security researchers and technology observers would later remark that it was remarkably irresponsible of Zomato to use basic encryption when better, more complex options were available.3
These decrypted passwords could then be used to access Zomato. From a user point of view, that wasn’t the only problem. The reason why any compromise in passwords is a big deal even beyond enabling access to one particular site is because an inordinately large number of people use the same password for multiple sites—from emails to social media pages to e-commerce platforms to Internet banking. This means that any compromise in passwords could result in user privacy being severely compromised. There is also the possibility of hackers siphoning off funds if they have net banking passwords. That would be nothing short of a disaster, not just for the users, but also for Zomato.
Patidar and his team sprung into damage limitation mode. The team started systematically assessing the extent of the hack. If one part of your infrastructure is breached, you never know what else it has led to. They started looking for patterns of traffic or requests that were not in sync with the normal trends. All known vulnerabilities had to be fixed at the earliest. It was also crucial to check if there was anything malicious that the intruder had left in the system, which had not yet been discovered.
They also tried to triangulate roughly when the intrusion might have taken place. The hacker was trying to sell 17 million rows of information. They tried to tally that number with the time period during which their database had that many users who signed up using their email and password. That exercise suggested that the hack may have happened between six and twelve months before May 2017. Once they had the time period they started looking at the logs, accessin
g various parts of the infrastructure during that time period.
One particularly important database to check was the credit card information that was stored within the infrastructure and ensure that it was safe. A breach there would be an absolute disaster. Thankfully high regulatory standards meant that credit card information was segregated and stored in different servers. Soon they confirmed that it was safe.
That was a relief for the team, but this was no time to celebrate. Something had to be immediately done about the cache of user data that was compromised. One of the few options they had was to open a channel of communication with the hacker—nclay—and engage with him.
The hacker seemed like a relative newbie to the marketplace and was tagged as a Level 1 vendor. For reference, the top vendor on Hansa Market was bestcoastbud, at Level 13. There was one other listing that nclay had put up, and that was the database of a company called Edmodo. A quick search on Google revealed that it was a Chicago-based education platform. The hacker had put up the personal information of 77 million users, including students, parents and teachers. That too was available to anyone to buy, just like Zomato’s data.4 That was all that could be gleaned from nclay’s profile.
What Zomato’s team needed to know was simple. Why was the hacker doing what he was doing? What could Zomato do to convince him to remove the listing? In case the hacker was doing it for money, how much was he asking for? The data that he had put up was not being sold for crazy amounts of money. Did that mean he was doing this for attention and not to line his pockets?
Patidar didn’t have an account on Hansa Market. Sinha and Patidar created their own accounts. Sinha also quickly wrote a script to track the sales counter that was part of the listing. That way they would be alerted if the number, which was then at zero for both the listings by nclay, were to tick.
Patidar registered on Hansa Market under the user name gpg. He had discovered that the marketplace had an option by which they could message nclay. There was no guarantee that the hacker would reply, but it was imperative that they tried. There was not much else they could do if they wished to connect with the hacker.
It was by then 9 p.m. of 18 May. Both Patidar and Sinha dropped the same message to nclay.
‘Hi, I’m from Zomato and wanted to talk to you.’
* * *
Patidar is from Khargone, a town with just over 200,000 people in Madhya Pradesh, a three-hour drive from the nearest major city, Indore. Like most bright young Indians passing out of school, Patidar appeared for the joint entrance exams conducted by the Indian Institutes of Technology. He got a relatively good rank in the exam, but not high enough to earn him a seat in one of the more popular streams—computer engineering—at IIT Delhi. He ended up with the options of a four-year textile engineering undergraduate programme at IIT Delhi or a seat for a course of his choice in one of the smaller IITs. He chose the former.
It turned out to be one of the greatest decisions of his life. IIT Delhi was a great place for a young engineer with an interest in programming, regardless of the stream he was in. He soon earned a reputation of a go-to person for writing code. He may have signed up to study textile engineering, but it was his coding skills that would bring in freelance assignments and spare cash, and eventually a job at Zomato.
Deepinder Goyal, an IIT Delhi alumni, was an analyst with Bain and Company’s Business Capability Centre in Gurgaon. Bain sponsored an event at IIT Delhi and Goyal came down to judge the competition. Goyal was at the time working to create FoodieBay. He was looking for programming talent to help him build the product, which was conceived as an online menu service. A mutual friend introduced him to Patidar. It didn’t take Goyal long to convince the young Patidar to start freelancing with him.
Patidar started working with Goyal on weekday nights and through weekends in 2008–09, his final year in college. Goyal would often drive down from his office in Gurgaon to south Delhi on Friday evenings, pick up Patidar from the IIT campus and drive back to his home in Gurgaon. There the two, along with others like Pankaj Chaddah, Zomato’s co-founder, would work on developing the restaurant listing and discovery service. They would do this while chomping down the go-to food for bachelors in India—Maggi noodles.
After he graduated, Patidar was placed at a company in Gurgaon, whose office was close to where Goyal was working. Even though Patidar had a full-time job, he continued to moonlight with Goyal, working on the tech for the start-up in evenings and during the weekend. Not too long afterwards, sometime in 2009, Goyal brought him in full time with the mandate of continuing to build the tech for FoodieBay, which in 2010 would be renamed Zomato.
Mirroring the explosion in the restaurant space in India, Zomato quickly gained popularity. It was a time when the combination of a young population and higher levels of disposable income was establishing the culture of eating out in the country. Choosing the right restaurant to go to was a topic of debate in many social circles, and it was at the centre of these conversations that Zomato would gain traction.
The company grew fast, first adding restaurants in multiple cities in India and then, over the next five years, going international, both organically and by acquiring similar platforms in other countries. Much of this growth was powered by the nearly $250 million5 Zomato had raised from various investors in several rounds of funding.
Zomato was building up to be one of the few Indian technology brands that were popular across multiple geographies. Goyal and Chaddah would be perceived as among the torchbearers of Indian entrepreneurship. Patidar had a box seat at the centre of this growth with the designation of chief technocrat at Zomato.
On the evening of 18 May, while Zomato was scrambling to limit the damage from the breach, Waqas Amir, a HackRead blogger, published a report. The headline screamed: ‘Zomato Hacked; 17 Million Accounts Sold on Dark Web’.6
The news of the breach was now out in the open and was soon going to be all over the Internet, and unless they reacted, Zomato would have to chase the story.
Later that evening, Zomato decided put up the news about the breach on their blog. There was a short conversation internally, where the cons of going public officially was discussed, but when weighed against the benefits, it was pretty much a no-brainer. Situations such as this one often resulted in needless speculation on the extent of the breach. Zomato wanted to take control of the narrative in a bid to nip any speculative chatter in the bud.
Security Notice
Over 120 million users visit Zomato every month. What binds all of these varied individuals is the desire to enjoy the best a city has to offer, in terms of food. When Zomato users trust us with their personal information, they naturally expect the information to be safeguarded. And that’s something we do diligently, without fail. We take cyber security very seriously—if you’ve been a regular at Zomato for years, you’d agree.
The reason you’re reading this blog post is because of a recent discovery by our security team that about 17 million user records from our database were stolen. The stolen information has user email addresses and hashed passwords.
We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text. We, however, strongly advise you to change your password for any other services where you are using the same password.
Important note: payment-related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS)-compliant vault. No payment information or credit card data has been stolen/leaked.
As a precaution, we have reset the passwords for all affected users and have logged them out of the app and website. Our team is actively scanning all possible breach vectors and closing any gaps in our environment. So far, it looks like an internal (human) security breach—some employee’s development account got compromised.
How can this stolen information be misused?
Since we have reset
the passwords for all affected users and logged them out of the app and website, your Zomato account is secure. Your credit card information on Zomato is fully secure, so there’s nothing to worry about there.
What next?
Over the next couple of days and weeks, we’ll be actively working to plug any more security gaps that we find in our systems.
We’ll be further enhancing security measures for all user information stored within our database
A layer of authorization will be added for internal teams having access to this data to avoid the possibility of any human breach.
We regret any disruption this may cause and appreciate your immediate attention to this information. If you have queries/concerns, please do not hesitate to contact our security team by sending an email directly to [email protected] and we’ll reach out to you right away.7
After the blog went live, media outlets all around India started flashing the news. Many in the management team at Zomato started getting calls from folks in the forensic business offering their services to help them tide over the crisis. They declined many of these requests because Zomato felt it was easier for an internal team to manage it. ‘If we had engaged a third party at that time we would have lost a lot of time trying to explain how things worked,’ Pradyot Ghate points out.
The media too started calling, demanding updates. As is par for the course in these days of social media, there was also a significant amount of conversation online, particularly on Twitter and Reddit. Many criticized Zomato for its use of basic encryption protocol and the apparent lack of focus on security.8
‘ . . . tells us a lot about their shitty security. In fact, I think the set-up would be across many other similar apps. This should be a waking call for them to enhance their security.’