Food directory and delivery giant, Zomato, on Thursday admitted that it suffered a massive security breach making it loose out on at least 17 million records of people from its server. As per reports, the attackers have stolen the usernames and hashed passwords from Zomato’s data; however, no payment information has been compromised.

Following the breach, the CTO of Zomato issued a statement saying, “The stolen information has user email addresses and hashed passwords,” said Gunjan Patidar, CTO. Dark web vendor ‘Nclay’ claimed the responsibility for the hacking of the Zomato website.”

According to the statement released by Zomato, the attackers have stolen the usernames and hashed passwords and the fact that the passwords are encrypted, it would be harder for hackers to make access.

The company also said that it would be sensible for the users to change their passwords and anywhere where they have been using the same passwords.

The released statement also read, “Payment related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault. No payment information or credit card data has been stolen/leaked. As a precaution, we have reset the passwords for all affected users and logged them out of the application and website”.

As per sources, the stolen data — which includes email IDs and password hashes of millions of Zomato users — is up for sale on Dark Web marketplace.

However, the giant claimed that the impact was not felt the payments details of the users which included the debit and credit card details of the app user.

Commenting over the security breach, the sources said that the breach looks like an internal security breach suggesting that a Zomato employees’ account may have been compromised.

Earlier, a same sort of breach was faced by McDonalds India application where it claimed that around 2.2 million users’ data may have been compromised.