Domino's India Website Attacked; Turkish Hackers Publish 37,000 Customer Passwords |

Domino's India Website Attacked; Turkish Hackers Publish 37,000 Customer Passwords

Details include personal details such as phone numbers and email addresses; passwords were stored in plain text.


If you've ever ordered a Domino's Pizza online, this news will come as a rude shock to you. A bunch of hackers who call themselves TurkishAjan managed to obtain details of 37,000 accounts belonging to the food chain's customers, including information such as the name, phone number, email address, password, and city. What's even more worrisome is that the group released the passwords in plain text; an easy task considering that the company had stored them as unencrypted, plain text.

Domino's operates in India through a tie-up with Jubilant FoodWorks Ltd. The stolen data had been published on, but the contents seem to have been removed as of this writing. For the technically inclined, reports suggest that the hacking was performed using the "SQL injection and remote file inclusion" technique, which is known to be one of the most common ways of extracting info from web databases. It's also probable that the hackers obtained administrator access to other internal company domains, thus resulting in the possibility of future attacks as well. The worst part? This isn't the first time that the site has been attacked, but the system administrators apparently didn't take corrective measures, thus resulting in a much bigger breach this time.

As of this writing, the company blog, as well as its Facebook and Twitter channels, remained silent about the intrusion. This will only make matters worse, as the first thing the MNC needs to do in order to restore public confidence in its system is to explain to its customers what exactly happened and the steps it will take to prevent future occurrences. Earlier this year, the Microsoft India store was also compromised and users's credit card details leaked, leading to the company issuing an advisory to its customers to monitor their cards for "unusual activity".

Looks like companies don't really bother too much about protecting our identity; especially since encrypting sensitive data isn't really such a tough task. The best way out seems to be to avoid creating accounts as far as possible. However, in situations where you're left with no choice but to create an account with a website, follow these basic rules:

  • Don't use a common password for all accounts. Specifically, don't use the same password as that of your email account. If that results in too many passwords to manage, write them down and store them in a safe place, such as a desk drawer in your home. If you're afraid of this being misused by your family members though, you've got much bigger problems than unsafe data.
  • For online payments, instead of using a credit \ debit card, opt for Cash On Delivery or netbanking (direct payment through a secure gateway). Alternatively, use cash cards or virtual credit cards (such as HDFC's NetSafe), so that even if the account is compromised, the damage is limited only the amount that the card has been "refilled" with, instead of your entire credit limit.

Can you think of any other easy and effective tips to protect your online identity from being stolen? Let us know in the comments. Meanwhile, if you're among those affected by this leak, make your displeasure known on the company's Facebook and Twitter page, and pressure them to come clean about this incident.

TAGS: Security, Internet, Kamakshi

badjag's picture