Restaurant guide and food delivery service Zomato looks like it is getting off lightly after it suffered a hack that compromised personal information belonging to 6.6 million users.

The India-based company, which offers services in more than 20 countries worldwide, set off alarm bells when it revealed that a hacker had made off with 17 million user records. That, Zomato said, included email addresses and hashed passwords but not credit card information.

Initially, the stolen information was put up for sale however the company later revealed that the hacker had agreed to remove the listing on the condition that Zomato introduces a fully-fledged bug bounty program.

Zomato has operated an account on disclosure service Hacker One for more than a year, however CEO Deepinder Goyal confirmed on Twitter that it would begin compensating hackers with money for their disclosures.

Following the incident, Zomato reset the passwords of all affected users and logged them out of its app and website. It said that 60 percent of its 17 million user records are tied to social log-in via Twitter or Facebook and therefore weren’t impacted by the hack. The company claimed that the passwords that were stolen “cannot be easily converted back to plain text” but Motherboard and security experts didn’t have issues converting a sample of the data provided by the hacker into original passwords.

Security experts weren’t impressed with Zomato’s security measures.

In this case there’s no immediate danger since the hacker agreed not to sale the data, but the situation is a reminder that many companies do not have adequate security measures in place to protect users.

That includes big ones. Zomato has been valued at over $1 billion — though some disagree on that — and it is fair to say that it doesn’t have any excuses for a lax security system since it has raised over $240 million from investors to date.