Gaana.com -- One of India's most
popular music streaming service with more than 10 Million registered users and
7.5 Million monthly visitors -- has reportedly been hacked, exposing the site’s
user information database.
A Pakistani hacker, who claimed
responsibility for the hack, claims that details of over 10 Million users of
Gaana service including their username,
email addresses, MD5-encrypted password, date of births, and other personal information has been
stolen and made available in a searchable database.
At the time of writing, Gaana website is currently down for maintenance
without any official statement provided yet. As of now, the site displays,
"Site is down due to server maintenance. We will be back shortly. Kindly
bear with us till then."
Details of
10 Million Users Available in a Searchable Database:
The hacker, nicknamed Mak Man, posted the link to a searchable database of Gaana user
details on his Facebook page, with images of the service's admin panel.
By exploiting an SQL injection
vulnerability in Gaana website, Mak Man
managed to gain access to the details of its 10 Million users. The hacker has
also posted a screenshot of SQL exploit he used to get access to the data on
Facebook.
Mak Man claimed
that he reported the vulnerability by providing full details of the flaw to
Gaana.com before. However, the company didn’t respond to his report and
ignored, which results in the breach of innocent users personal information.
Flaw
Reported to the Company, but Ignored:
It sounds really weird that Gaana
from one of India’s biggest internet companies, Times Internet
Limited, is
vulnerable to such attacks. And even weird when such a reputed company is
ignoring vulnerabilities reported to them, putting millions of users at risk.
Most of the data breaches occur
because of such behaviour of the companies when hackers and bug hunters
responsibly report them flaws but they ignore the issues, encouraging hackers
to go public with the details of their customers.
Times Internet CEO Satyan Gajwani replied to the hacker's post on Facebook later and apologised that the company hadn't
responded to the security concerns raised by Mak Man.
"I don't think your intention
is to expose personal information about Gaana users, but to highlight a vulnerability,"
Gajwani added. "Consider it highlighted, and we're 100% on it. Can I
request that you take down access to the data, and delete it completely?"
Gajwani then took
to Twitter
and said that the company is considering the issue seriously and taking steps
to fix it. He also said there is no financial or sensitive information lost. He
also encourages all customers to reset their passwords as soon as possible.
However, simply changing passwords
to your Gaana account would not solve the problem, as it will reflect in the
leaked database. You are advised to better deactivate your accounts until the
issue is resolved. Besides this, change your email, Facebook and Twitter
passwords if you are using the same as on Gaana.
UPDATE
<<I hereby confirm that no
financial information was accessed during the hack of Gaana.com .. Database was
so huge that I didn't even bother looking and no information was dumped and
stored locally .. not even a single row,>> Mak Man said in a Facebook Post.
However, even if the Hacker claims
that he has not downloaded the Gaana.com database by exploiting the SQL
injection vulnerability, doesn’t mean that nobody else has exploited the flaw,
as the loophole in the website was open from last few months.
Meanwhile, it is possible that someone may have
had their hands on the vulnerability and already stolen the data in past days
without the company’s knowledge.
No comments:
Post a Comment