Zoomcar, security, and stupid decisions



As per news reports, the data is 3.5 million Zoomcar customers is available to purchase online, with apparently the info of a total 9 million users that may be on sale.

The info leaked includes:

  1. Names
  2. Email IDs
  3. Passwords
  4. Mobile numbers
  5. IP Address

If you have been a Zoomcar user in the past, my suggestions would be:

  1. Log into Zoomcar, change your password, and remove any saved card info if possible
  2. If you’ve used the same email/password combo as your Zoomcar account at other places, change those passwords as well
  3. Be vigilant against phishing attacks on your email and phone, scammers may try to use the info they have against you
  4. User different passwords for different sites, use strong passwords that are at least 12 characters long, and use common sense

It is quite possible that the data leaked is not actually from Zoomcar, since we only have the hacker’s word as proof, and usually people who sell stolen goods on the dark web aren’t rated highly on trust. However, taking the precautions above is still advisable, especially since Zoomcar has not denied it.

Zoomcar’s behavior through this situation has been extremely stupid in my opinion. This is because of 2 reasons:

1. The time

As per the news reports, the actual breach happened in July 2018, that’s almost 2 years ago.

This means that either they purposefully hid this info from customers, or that their security team is so incompetent that they found out about the hack through the news stories too.

It is true that there’s no such thing as GDPR or any semblance of data protection laws in India, so Zoomcar had no reason to admit their mistake when they fucked up. But it would have been the right thing to do, and may even have slightly improved their much destroyed public image.

2. The stupidity

My main problem, and the entire reason I got pissed off enough to write this article, is the response from Zoomcar. After the news broke, Zoomcar sent an email to their customers. Here it is:

There are 3 main issues with this email:

  1. The evasion
    The email says nothing about the breach itself, they don’t tell us if it happened or if it didn’t. The email is supposed to be in clarification of the “data security practices” of Zoomcar that some “local media” has made some claims about.

    This is obviously lawyer talk to avoid confirming that they made a boo boo, an attempt to distract from the reality of the situation and talk about something unrelated that nobody gives a shit about in the present situation.
  2. The lying
    Zoomcar says the following in the email, which is simply false:

    a. All Zoomcar data, including user passwords, is encrypted with extremely robust algorithms that make it impossible for individuals to access.

    b. Encrypted passwords, thus passwords are never exposed or hacked

    Both of these statements are complete lies, and not just because such blanket statements simply must be, although that hasn’t stopped Zoomcar from repeating them on social media as well.

    Encryption algorithms can be as robust as they like, but if the user password is weak, that password can be “exposed or hacked”. If you’d like an actual expert explain to you why, watch this video.

    If you’d rather read an oversimplification, here’s an example.

    Imagine your Zoomcar password is 12345, because you’re absolutely insanely dumb. Let’s say the world’s best encryption algorithm is used to encrypt this password.

    Original password: 123456
    Encrypted password: SqUiDLoVeR#420@*

    That encrypted password looks pretty dangerous doesn’t it? Hard to crack? Not really. All the hacker has to do is find out what encryption algorithm is used, generate random passwords, encrypt them with the algorithm, and match the results with the hacked encrypted passwords he can see.

    Try 1:
    Generated password: 1234
    Encrypted password: SqUidLoVeR
    Match: NO

    Try 2:
    Generated password: 12345
    Encrypted password: SqUidLoVeR#
    Match: NO

    Try 3:
    Generated password: 123456
    Encrypted password: SqUiDLoVeR#420@*
    Match: YES

    The hacker never needed to “crack” your password, you just made it so easy for him that he barely had to fart in its general direction for the lock to open.

    The point here is that Zoomcar’s claim that passwords are encrypted so there’s nothing to worry about, is simply untrue.
  3. The lack of responsibility
    The biggest threat to users whose emails and phone numbers have been exposed, is that they’ll be targeted for phishing attacks. The email makes no mention of it whatsoever, which allows a sense of complacency.

    Everything is fine, but if you’d like to change your password, go ahead, but nothing to worry about at all, but here’s the Change Password link just in case, but everything is super chill, promise.

    This is dangerously irresponsible, the only way to be safe against phishing attacks is to be aware of the risk, and not be taken by surprise. By completely ignoring that angle from its email, Zoomcar is trying to hide their mistake at the cost of their customers.

I assume this sort of shoddy work from Zoomcar is because of panic. With the lockdown, and global car rental services like Hertz moving towards bankruptcy, they must be scrambling to contain the damage. It may be a question of survival for them.

I have never used Zoomcar, and I am not a corporate communications manager, I couldn’t care less about the moanings of idiots in suits. It just annoys me when companies treat their customers like they’re dim witted.

Leave a comment

Leave a Reply

Your email address will not be published.