Zomato on Thursday admitted to a major security breach, where around 17 million user records - out of the company's 120 million users - were stolen from its database. According to the company, usernames and hashed passwords were stolen by the attackers - the fact that the passwords were encrypted means that they will be harder to access, but such troves of data do eventually get cracked, so a sensible move would be to change your Zomato password right away, and also to change it on any site where you use the same passwords. At the same time, we must also remind our users that using the same passwords across multiple sites is a really bad idea, so if you're doing that anywhere, please change your passwords, and get a password manager.
Coming back to Zomato, the company disclosed the attack in a blog post, where it also mentioned that all payment data is stored separately from the stolen data, and that no payment information or credit card data has been stolen. In a mailed statement, the company added that All payment information on Zomato is stored in a highly secure PCI Data Security Standard (DSS) compliant vault. It added: "We can also confirm that we have found no evidence whatsoever of any of Zomato’s other systems or products being affected."
This is not the first time that Zomato has been targeted in a hacking attack. In 2015, the company was hacked by a white hat hacker who reported the details to Zomato, which addressed the weaknesses, according to reports. This time however, a report says that the stolen usernames and passwords are being sold online.
On the blog, Zomato mentions that it has reset passwords for all affected users, and logged them out of the app and website. According to Zomato, it is now investigating the breach to close gaps, and it noted that this looks like an internal security breach. Either the account of an employee has been stolen, or these accounts were stolen by an employee.
Zomato reassured users that accounts have been secured, and payment information was saved separately, so there's no cause for concern, but this incident does highlight how much of our data is available to companies; from our real names and address to our payments data, and if this was in fact an employee who stole the data, then it's even more important that companies clearly declare what user data is visible to their staffs.
"Over the next couple of days, we’ll be actively working to improve our security systems - we’ll be further enhancing security measures for all user information stored within our database, and will also add a layer of authorization for internal teams having access to this data to avoid any human breach," Zomato stated.
Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2026 hub.