Zomato's bad security cost them the breach of 6.6 million user passwords

Zomato is the latest firm to suffer a data breach, which it admits has compromised the personal information of 6.6 million of its users.
The India-based company said on Thursday that it recently discovered that around 17 million user records - including email addresses and hashed passwords - had been stolen from its database. No payment information was taken, the firm noted, adding that this is stored seperately "in a highly secure PCI Data Security Standard (DSS) compliant vault"

Later, however, the firm said that 60 per cent of its users use third-party OAuth services - or, log in using their Google and Facebook accounts - and noted that these users are at "zero risk". 

Still, this leaves 6.6 million Zomato users who are, and the firm says that it has taken steps to reset the passwords for all affected users, as well as having logged them out of its app and website. 

It ain't getting off that lightly, though. In a blog post, the company claimed that the passwords that were stolen "cannot be easily converted back to plain text," but Motherboard said that security experts didn't have much trouble converting into original passwords a sample of the data provided by the hacker.

One such expert, Andrew Mabbitt from Fidus Information Security, was able to easily crack around half of the stolen passwords.

"Whilst a salt was appended to the hashes, it was only 2 characters long and provided virtually no benefit", he said. "Along with this, the MD5 hashing algorithm is outdated and has been superseded by more cryptographically secure hashing algorithms."

Motherboard also reveals that the hacked data was initially put up for sale on the dark web, but Zomato has since claimed that the hacker - who got his hands on the data after fiding a vulnerability in the company's infrastructure around a year ago - had agreed to remove the the advertisement and destroy any copies of the data itself on the condition that the firm will soon launch a bug bounty programme