Indian music streaming service Gaana, which has over 7.5 million monthly visitors, has been compromised by a hacker and its user information database is now exposed.
The hacker, who goes by the moniker Mak Man and appears to be based in Lahore, Pakistan, posted a link to a searchable database of Gaana user details on his Facebook page. Enter a user’s email address and it spits out their full name, email address, MD5-hashed password, date of birth Facebook and Twitter profiles and more.
F**k it, we'll do it live!
Our biggest ever edition of TNW Conference is fast approaching! Join 10,000 tech leaders this May in Amsterdam.
The hack appears to be a SQL injection-based exploit of Gaana’s systems, but the intention behind it is unknown. The database shows more than 12.5 million users are currently registered on Gaana.
Mak Man also posted images of the service’s admin panel.
It’s worrying that an online service from one of India’s biggest internet companies (Times Internet) is vulnerable to attacks like this.
With user details exposed, it may not do much good to simply change your Gaana password, as it will reflect in the hacker’s database. You’re better off deactivating your account until the issue is resolved, and changing your email, Facebook and Twitter passwords if they’re the same as on Gaana right away.
Update: Since our story broke, Gaana has taken its site offline and the exposed database isn’t returning search results when we queried it with test data.
The hacker has updated his database page with the following message: “The vulnerable parameter I was using here, has been patched by the Admin
Now the question is, Was this the only vulnerable parameter I had .. ? ;)”
Update 2: Times Internet CEO Satyan Gajwani tweeted that only login credentials were accessed and no financial or sensitive personal data was leaked.
Gajwani attempted to contact the hacker on Facebook and acknowledged the issue. He added that the attack was the hacker’s way of highlighting Gaana’s vulnerability.
The exposed database has since been removed on Gajwani’s request. All Gaana users’ passwords have been reset.
Gajwani also sought to reassure his followers that no user data was stored and that the passwords were hashed. Hacker Mak Man also confirmed this in a Facebook post. However, that can’t be confirmed and you’d best change your passwords for any social accounts and email addresses associated with your Gaana profile.
According to Pranesh Prakash, Policy Director at Center for Internet and Society in Bangalore, India, the MD5 hashing algorithm which appears to have been used for securing passwords isn’t very strong and could easily be unscrambled using a rainbow table to get the plain-text version of the data.
Prakash also says that for added security, Gaana should:
- Stop using MD5 as its password hashing function and instead look at stronger password derivation functions like scrypt, bcrypt, or PBKDF2.
- Sanitize its SQL inputs to prevent against malicious SQL injections.
- Enable two-factor authentication for users to log in securely.
- Urge its users to use long passphrases instead of short complicated passwords and to never to reuse a password.