Gaana.com — One of India’s most popular music streaming service with more than 10 Million registered users and 7.5 Million monthly visitors — has reportedly been hacked, exposing the site’s user information database.
A Pakistani hacker, who claimed responsibility for the hack, claims that details of over 10 Million users of Gaana service including their username, email addresses, MD5-encrypted password, date of births, and other personal information has been stolen and made available in a searchable database.
By exploiting an SQL injection vulnerability in Gaana website, Mak Man managed to gain access to the details of its 10 Million users. The hacker has also posted a screenshot of SQL exploit he used to get access to the data on Facebook.
Flaw Reported to the Company, but Ignored:
Times Internet CEO Satyan Gajwani replied to the hacker’s post on Facebook later and apologised that the company hadn’t responded to the security concerns raised by Mak Man.
“I don’t think your intention is to expose personal information about Gaana users, but to highlight a vulnerability,” Gajwani added. “Consider it highlighted, and we’re 100% on it. Can I request that you take down access to the data, and delete it completely?”
However, simply changing passwords to your Gaana account would not solve the problem, as it will reflect in the leaked database. You are advised to better deactivate your accounts until the issue is resolved. Besides this, change your email, Facebook and Twitter passwords if you are using the same as on Gaana.
“I hereby confirm that no financial information was accessed during the hack of Gaana.com .. Database was so huge that I didn’t even bother looking and no information was dumped and stored locally .. not even a single row,”
– Mak Man said in a Facebook Post.
However, even if the Hacker claims that he has not downloaded the Gaana.com database by exploiting the SQL injection vulnerability, doesn’t mean that nobody else has exploited the flaw, as the loophole in the website was open from last few months.
Meanwhile, it is possible that someone may have had their hands on the vulnerability and already stolen the data in past days without the company’s knowledge.