Initially, it was wrongly estimated as internal human security breach(by hacking developer account)by zomato team.Later got in touch with hacker and they said he is cooperative we got to know all the details how the attack happened .the hacker asked them to have Bug Bounty program for security researchers and they agreed to that and said very soon we will start a bug bounty program in hackerone .
Zomato stated the same on their blog post as shown below,
The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system .His/her key request was that we run a healthy bug bounty program for security researchers.Source: Zomato blog security notice
We are introducing a bug bounty program on Hackerone very soon. With that assurance, the hacker has in turn agreed to destroy all copies of the stolen data and take the data off the dark web marketplace. The marketplace link which was being used to sell the data on the dark web is no longer available.
Passwords for all the accounts hacked were reset by zomato team .so now all the user data was secured.It will be really good if they start a new bug bounty program which will be a mutual benefit to hackers and the company.This move will enhance the security of their users.We advice all the startups to have bug bounty programs and prevent this kind of security breaches.