Investigating Zomato & Edmodo Hack

On the day of May 17, 2017 Zomato came public with the information that their database was breached and about 7 million user information were stolen. Soon it was found that this data was being sold in the darknet for estimated $1,001. Zomato however got into touch with the hacker and after some exchange they came to a mutual decision that the hacker will remove the database and will instead work with Zomato in fixing this bug. Zomato also announced that they will launch a bug bounty program in HackerOne.

At the moment, Zomato has a simple program in HackerOne with only HoF for hackers. In recent days, many hackers who participate in Zomato’s HackerOne program were complaining there lack of respond and delay in responding to security reports. This hacker raised the same issue and asked Zomato to update their policy and be more active. While this may bring some positive changes in Zomato responsible disclosure program, actions of this hacker was unethical. I decided to launch my own private check to see who this hacker could be and uncovered some information about another identical breach.

First process was scanning social media sites for any old chatters on the hack. Some hackers like to boast about their hacks online in social media. I scanned twitter and Facebook to see if there was any chatter. Unfortunately, this hacker knew how to cover their track. However some media sites were kind of blowing his cover. Seems like he had given some interview regarding the hack. After some check, I found that the data was being sold by the vendor nclay in a deep web website. I usually scan multiple .onion marketplace to see if there was any leaks after a website hack. After seeing the following picture, I immediately knew what site this was:

Second process was now to go to the deep web.

I had visited this same .onion site before when investigating about Credit Card leaks and other possible breaches. It was none other than HansaMarket. Reddit list on deep web sites is here: https://www.reddit.com/r/darknetmarkets/wiki/superlist#wiki_hansa_market

The onion site that works for this is: hansamkt3iph6sbb.onion

You can browse the site without TOR here: http://hansamkt3iph6sbb.onion.link/

So now we know his handle: nclay & the site he uses to sell the file is HansaMarket.

When going to his store we find this:

Now the deal is, Edmodo recently emailed its user and informed them that they suffered through a security breach. Users were requested to change their password immediately.

In this case, he(nclay) also provided some sample data which seems to have email address and passwords which were hashed by bcrypt. Most accounts look to be of Edmodo employees because they contain the email address @edmodo.com.

So far we have been able to link the same hacker for both leaks. I am not familiar with how that specific marketplace works but it seems that 1 order has been placed based on his vendor profile.

Breaking everything down:

This handle joined the site on 2017–05–07 UTC time which is when we started to pick chatter about hackers complaining about Zomato’s unresponsive bug bounty program. I can certainly bet that this hacker has reported bugs to Zomato through HackerOne platform. So this in high probability could be a security researcher who got angry that Zomato did not respond to their bug.

This is still being edited. Any new information will be added below:

Update May 20, 2017: We have released a messenger bot that allows you to look and see if your email is on the Edmodo leaked list. https://m.me/amibreached

Update May 23, 2017: We forgot to release but here is the potential code that was used for the hack: https://pastebin.com/bYAtrLck

Update (current time): Zomato has revamped their VDP/Bug Bounty program and now awards researchers for their work. It also seems that their response time to report has shorten hinting that they care about their users’ security and privacy.