Indian music streaming service, Gaana, who serves over seven million happy music visitors every month has been hacked, leading to over twelve million users data being leaked online.
The hacker Mukarram Khalid, who goes by his online alias Mak Man and appears to be based in Lahore, Pakistan, posted a link to a searchable database of all Ganna users details who had been compromised in the breach on Wednesday. The Facebook link to the Gaana database has been deleted, but users first and last name, email address, encrypted passwords, dates of birth and connected Twitter and Facebook account profiles were leaked on the breach exposing Gaana users.
Mak Man initially exploited Gaana’s systems through an SQL-injection, yet, the hackers motive remain unknown. The leaked database contains more than 12.5 million active users registered on Gaana. To further prove his hack, Mak Man posted several images of himself in Gaana’s admin panel, showcasing the database and registered user accounts.
Gaana is owned by one of India’s largest Internet service provider companies, Times Internet, whose CEO, Satyan Ganjwani has confirmed that online login credentials were stolen, but no financial or sensitive information was accessed by the Pakistani-hacker.
No financial or sensitive personal data beyond Gaana login credentials were accessed. No third party credentials were accessed either. 3/n
— Satyan Gajwani (@satyangajwani) May 28, 2015
Following Ganjwani’s public address to the issue, he tried reaching out to Mak Man on Facebook acknowledging the issue, adding that the hacker helped highlight a critical vulnerability in Gaana’s systems.
With details Mak Man exposed, changing your Gaana password might not do much, as it will reflect so in the hacker’s database, TNW reported. Its recommended all Gaana users deactivate the account for their time being, and change your email, Facebook and Twitter passwords if they were connected to Gaana in anyway. It would even be worth revoking Gaana’s access to your social accounts til it’s properly fixed.
Following the attack, Gaana was offline, presumably for emergency maintenance and to patch the glaring vulnerability that led to the database hacking.
Mak Man updated the Gaana breach database page, adding the following message: “The vulnerable parameter I was using here, has been patched by the Admin
Now the question is, Was this the only vulnerable parameter I had .. ? ;)”
Gajwani asked for the hacker to take the database offline, which it was upon his request. Gajwani noted all Gaana users’ passwords have been automatically reset and reassured members that no user data was stored on their servers and that passwords leaked were hashed. Mak Man hacker also confirmed this in a separate Facebook post.
According to Pranesh Prakash, a Policy Director at the Center for Internet and Society in Bangalore, India, said the MD5 hashing algorithm Gaana used for securing passwords was extremely weak, and could lead to hackers easily decrypted the passwords into plain-text data.
Prakash recommended Ganna take the following steps to secure their business and users:
- Cease using MD5 for password hashing and look for a stronger password derivation function such as scrypt, bcrypt or PBKDF2.
- Sanitize Ganna’s SQL inputs to prevent against future malicious SQL investigations.
- Enable users to add two-step verification, assuring users have the ability to log-in securely.
- Urge users to user a strong password and to never re-use passwords across the web.
Gajwani has since noted that Gaana’s systems are secure, assuring users their passwords have been taken offline and that their systems are secure.