Zomato got hacked and 17 million accounts are up for sale on the Dark Web
The undisclosed dark web marketplace where Zomato users’ accounts are currently up for sale, is also home to numerous other such stolen databases iStock

Zomato, the popular restaurant and event listing service, has been hacked and 17 million accounts are listed for sale on the dark web. The data on sale includes emails and hashed passwords of Zomato users, but the company said no payment or credit card data was leaked.

Zomato confirmed the hack to IBTimes UK. "Our security team has discovered an incident that may have resulted in unauthorized access to account information (including name, email address and hashed password) for 17 million users on Zomato," a spokesperson for the firm said in an emailed statement.

Zomato added that it has found "no evidence" that users' financial and/or credit card information was accessed. The firm stressed that " no payment information or credit card data has been leaked."

A dark web vendor going by the pseudonym "nclay" has claimed responsibility for the hack. Earlier, HackRead reported that the vendor publicly shared a sample of the trove of stolen data. HackRead said that a test of the sample data showed that every account mentioned on the list existed on Zomato and that the data came from registered Zomato users.

Zomato's statement said: "Our team is actively scanning all possible breach vectors and closing any gaps in our environment. And though the hashed password cannot be converted back to plain text, as a safety measure, we have reset the passwords for all affected users and logged them out of the app and website."

The firm said that it will improve its security systems and "enhance" security measures for stored user data to avoid such breaches in the future.

Zomato, which was founded in 2008 by Indian entrepreneurs Deepinder Goyal and Pankaj Chaddah and based in India, reportedly has over 90 million visitors every month and its app is highly popular in India. Alexa ratings show that it is among the top 155 most visited websites in India.

The service has a prominent global presence and is popular in Australia, the Middle East and some eastern European and South American countries, among others.

The undisclosed dark web marketplace where Zomato users' accounts are currently up for sale also has for sale numerous other such stolen databases. HackRead reported that the same dark web marketplace also has vendors selling around 100 million accounts from Chinese video service Youku, millions of Gmail and Yahoo accounts and millions of Bitcoin forums data, among other data sets.

Zomato has been hacked before by an Indian white hat hacker Anand Prakash, who found a critical security flaw and reported it to the firm. The firm also has a bug bounty programme but unlike other firms, it does not hand out cash rewards. Instead, hackers receive Hall of Fame recognition or a certificate of acknowledgement.

(Updated to include Zomato's comments.)