SHARE
Gaana hacked, Gaana logo

Gaana.com is one of the most popular music streaming services in India having more than 10 million registered users and approximately 7.5 million monthly visitors. The thing is, Gaana has been hacked, resulting in the user information database being exposed.

The person who claimed responsibility for the hack is a hacker from Pakistan. He claimed that the details of more than 10 million users has been stolen and are available within a searchable database. This sensitive user information includes email addresses, usernames, dates of birth, and various other personal details.

The Gaana.com website was down for maintenance and no official statement has been released. The site displays a simple message saying it is down because of server maintenance and that they will be back shortly.

Personal data exposed

The Pakistani hacker with the nickname Mak Man has posted the link to a searchable database featuring the details of Gaana.com users on his Facebook page (already unavailable).

Gaana.com personal users data exposed dashboard screenshot

A screenshot of the full admin panel from Mak Man was available, showing names, usernames, and other details. The SQL exploit he used to get access to a significantly sized user database was also featured in his post.

Ignored flaw becomes a breach

Hacker claims that the vulnerability was something that he spotted and reported as a flaw to the Gaana before. The company, however, did not respond and ignored it, which resulted in many innocent users having their personal information exploited.

It is unusual for a large internet company to be vulnerable to such large attacks. It is also strange that a company with such a good reputation would ignore vulnerabilities, especially when they are reported. It would put millions of users at risk, as demonstrated by this hack.

Many data breaches occur every day because companies ignore when flaws are reported to them. It is when the issues are ignored that hackers are encouraged to go public with customer details. This is a great way to make sure that people will listen.

Satyan Gajwani, CEO of Times Internet which is the owner of Gaana, replied to the Mak Man’s Facebook post and apologized that the company did not respond to security concerns that the hacker identified.

“I don’t think your intention is to expose personal information about Gaana users, but to highlight a vulnerability,” Gajwani wrote in his post. “Consider it highlighted, and we’re 100% on it. Can I request that you take down access to the data, and delete it completely?”

After that, the hacker actually removed the data from public access:

Gaana.com SQL exploit by MakMan
Screenshot of the hacker’s site

Gajwani also went on Twitter in order to identify that the issue is being considered seriously and that steps are being taken to fix it.

He also said that no sensitive information or financial information was lost:

Even if the Pakistani hacker did not download the database by exploiting the SQL injection vulnerability, it does not mean that during this time, someone else has not exploited the flaw. This is a loophole that has been available on the website for several months. It is even possible for the data to have been stolen in recent days, without the company being aware of it.  

Gaana learned its lesson

Companies of every size need to know their vulnerabilities and be proactive when someone contacts the company to identify a security flaw. Like Gaana did:

The first time can be a simple way of identifying a flaw, but the second time can be a person acting out in a more malicious way.

LEAVE A REPLY