Online restaurant guide and food ordering app Zomato will be reaching out to 6.6 million users, whose 'hashed' passwords could be 'theoretically decrypted' in order to get them to update their account security.
On Thursday, the company had reported that about 17 million user records have been stolen from its database, which included user email addresses and passwords but no payment information or credit card data.
"6.6 million users had password hashes in the 'leaked' data, which can be theoretically decrypted using brute force algorithms," Zomato said in a blogpost.
A hashed password is series of random-looking characters used by companies for security reasons to protect users.
The company will be reaching out to these users to get them to update their password on all services where they might have used the same password, it added.
Zomato said it was able to get in touch with the hacker, who had put the stolen user data up for sale. He has agreed to destroy all copies of the stolen data and take the data off the dark web marketplace.
The startup further said it will be introducing a bug bounty programme on Hackerone for security researchers very soon, which was the key demand of the hacker.
"The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps," Zomato said.
The company said hacker also gave it all the details on the way he/she got access to this database.
The startup promised to post this information on their blog, once they close the loopholes so that it can be a lesson for others to follow. The disclosure comes at a time when the world is coping with the cyber attack by ransomware 'WannaCry', which has impacted IT networks in over 150 countries.