Ganaa hacked, data of 10 Million registered users leaked

A Pakistani hacker claimed responsibility for a data breach at Gaana music streaming service that exposed data of  more than 10 Million registered users.

Gaana (Gaana.com), one of the most popular music streaming service in India has reportedly been hacked. Gaana service has more than 10 Million registered users and 7.5 Million monthly visitors, according to various sources available on the Internet, the hackers have had access to user information (including username, date of birth, email address, MD5-encrypted password,  and other personal information) stored in the database .

A Pakistani hacker claimed responsibility for the attack and announced that the stolen data were available in a searchable database. Just after the attack the Gaana website was down for maintenance, but the company didn’t issue any official statement.

The hacker, which calls himself Mak Man (this is the nick name he also used on Facebook), has published screen shots of the stolen data, the images demonstrate that the attacker accessed user IDs, passwords and other private details. Mak Man exploiting an SQL injection vulnerability in Gaana website and once stolen the data in the database he also shared the link to a searchable archive of Gaana user.

The Gaana service has been suspended and the administrators have forced a password reset in response to the data breach.

“Site is down due to server maintenance. We will be back shortly. Kindly bear with us till then.” was the message displayed by the website.

Below the sequence of tweets sent by Gaana operators, one ot the messages confirm that hackers haven’t had access to financial or sensitive personal data of the users.

“We have temporarily removed access to our website and app as a vulnerability in one of our Gaana user databases was exposed” 

“No financial or sensitive personal data beyond Gaana login credentials were accessed. No third party credentials were accessed either.”

“Most of our users’ data has not been compromised, but we’ve reset all Gaana user passwords, so all users have to make new ones”

“We would like to assure that security is a major focus for us and we are further strengthening our user security team”

“Please be assured that we are treating this issue with the utmost urgency and will provide more information soon”

  The hacker has reportedly acknowledged that the flaw ha has exploited to access Gaana database has been patched, but he is warning on the existence of many other security flaws.

“The vulnerable parameter I was using here, has been patched by the Admin… Now the question is, Was this the only vulnerable parameter I had.” saids Mak Man.

In a Twitter update provided by the CEO of Gaana.com, Stayen Gajwani, it is reported that the stolen database has been removed from the hacker’s website.

It seems that the Pakistani hacker was not interestes in the sale of data, instead he acted to prove the poor level of security implemented by the service. He tried to contact the company several times to report the issue by the was always ignored, so he decided to hack the website.

Unfortunately, there is the concrete risk that the data are in the hands of cyber criminals in this moment that could try to monetize them in the incoming days.

I suggest Gaana users that share the same credentials on other web services to change their password on the other sites as soos as possible.

Pierluigi Paganini

(Security Affairs –  Gaana, SQL injection)