Gaana.com -- One of India's most popular music streaming service with more
than 10 Million registered users and 7.5 Million monthly visitors
-- has reportedly been hacked, exposing the site’s user information database.
A Pakistani hacker, who claimed responsibility for the hack, claims that
details of over 10 Million users of Gaana service including their username,
email addresses, MD5-encrypted password, date of births, and other personal
information has been stolen and made available in a searchable
database.
At the time of writing, Gaana website
is currently down for maintenance without any official statement provided yet.
As of now, the site displays, "Site is down due to server maintenance.
We will be back shortly. Kindly bear with us till then."
Details of 10
Million Users Available in a Searchable Database:
The hacker, nicknamed Mak Man, posted the link to a
searchable database of Gaana user details on his Facebook page, with images of
the service's admin panel.
By exploiting an SQL injection vulnerability in Gaana website, Mak Man
managed to gain access to the details of its 10 Million users.
The hacker has also posted a screenshot of SQL exploit he used to get access to
the data on Facebook.
Mak Man claimed that he reported the vulnerability by providing full
details of the flaw to Gaana.com before. However, the company didn’t respond to
his report and ignored, which results in the breach of innocent users personal
information.
Flaw Reported to the Company, but
Ignored:
It sounds really weird that Gaana from one of India’s biggest internet
companies, Times
Internet Limited, is vulnerable to such attacks. And even weird
when such a reputed company is ignoring vulnerabilities reported to them,
putting millions of users at risk.
Most of the data breaches occur because of such behaviour of the companies
when hackers and bug hunters responsibly report them flaws but they ignore the
issues, encouraging hackers to go public with the details of their customers.
Times Internet CEO Satyan Gajwani replied to the
hacker's post on Facebook later
and apologised that the company hadn't responded to the security concerns
raised by Mak Man.
"I don't think your intention is to expose personal information
about Gaana users, but to highlight a vulnerability," Gajwani added. "Consider
it highlighted, and we're 100% on it. Can I request that you take down access
to the data, and delete it completely?"
Gajwani then took to Twitter and said that the company is
considering the issue seriously and taking steps to fix it. He also said there
is no financial or sensitive information lost. He also encourages all customers
to reset their passwords as soon as possible.
However, simply changing passwords to your Gaana account would not solve
the problem, as it will reflect in the leaked database. You are advised to
better deactivate your accounts until the issue is resolved. Besides this,
change your email, Facebook and Twitter passwords if you are using the same as
on Gaana.
Comments
Post a Comment