Update2: Mak Man in a new status update has said that no financial information was accessed during the hack of Database, and no information was dumped and stored locally. He also said that exploit script was just a POC to highlight the issue which was grabbing the details directly from their DBMS.
Update1: Few hours after posting searchable database link of Gaana user details on his Facebook page, Mak has now removed it from his website on request of Times Internet CEO Satyan Gajwani.
Before:
Indian music streaming service Gaana has been hacked by a Lahore based hacker who goes by the name of Mak Man. The hacker, Mak Man has also posted a searchable database link of Gaana user details on his Facebook page. The development was first reported by TheNextWeb.
The hack appears to be a SQL injection-based exploit of Gaana’s systems. Enter a user’s email id and it outputs their full name, email address, password, date of birth, Facebook and Twitter profiles and a lot more. The database shows more than 12.5 million users are currently registered on Gaana.
Mak Man also posted images of the service’s admin panel.
Since the story broke, Gaana has taken its site offline and the exposed database isn’t returning search results when we queried it with test data.
Looks like the database has been patched and the queries are no longer working. However the hacker latest status update on Facebook, mischievously suggests that there might be more vulnerabilities in Gaana’s system and this might just be the beginning.
It is shocking to see that giants like Times are also vulnerable to such exploits, risking millions of users data and privacy. Gaana has reportedly over 7.5 Mn monthly visitors and over 10 million active users.
Apart from Gaana, other music streaming companies in India include Saavn, Airtel’s Wynk, Hungama, Vodafone Music among others. Earlier this year, audio streaming company Rdio had launched in India, with a catalogue of 32 Mn songs in 43 language, previously, Rdio had acquired Pune based Dhingana. Recently, Hungama had crossed a milestone of having 50 Mn+ monthly active users on its platform with aim to cross 100Mn MAUs by March 2016. Also, Australian music streaming service i.e. Guvera claims to have over 3 Mn users in India.
Related: Gaana Vs Saavn – Who’ll Become The Spotify Of India?
Satyan Gajwani spoke about this issue on Twitter in a series of tweets:
A couple of hours ago, a hacker name MakMan exposed a vulnerability in one of our Gaana user databases. Here’s where things stand: 1/n
— Satyan Gajwani (@satyangajwani) May 28, 2015
First of all, we have patched the vulnerability within an hour of its discovery, as MakMan has also acknowledged. 2/n — Satyan Gajwani (@satyangajwani) May 28, 2015
No financial or sensitive personal data beyond Gaana login credentials were accessed. No third party credentials were accessed either. 3/n — Satyan Gajwani (@satyangajwani) May 28, 2015
As we understand, the data has not been accessed or shared with anyone; MakMan was highlighting the issue, which we’ve recognized. 4/n — Satyan Gajwani (@satyangajwani) May 28, 2015
Most of our users’ data has not been compromised, but we’ve reset all Gaana user passwords, so all users have to make new ones. 5/n
— Satyan Gajwani (@satyangajwani) May 28, 2015
Yep, it’s a pain, but it’s important. 6/n — Satyan Gajwani (@satyangajwani) May 28, 2015
Finally, security is a major focus for us, and we are further strengthening our user security team. 7/n — Satyan Gajwani (@satyangajwani) May 28, 2015
We’ve asked Makman if he’d be willing to work with us and help us find any other issues as well. https://t.co/8txhpbKGVc 8/n — Satyan Gajwani (@satyangajwani) May 28, 2015
We’re running diagnostics to find any other issues, but rest assured, we’re taking every step to ensure all user info is secure and private.
— Satyan Gajwani (@satyangajwani) May 28, 2015
And the hackers have removed the database from their site. #amankiasha pic.twitter.com/9ZPeS2CJ8a
— Satyan Gajwani (@satyangajwani) May 28, 2015
Update- No data was ever stored, and the site is removed. Nonetheless, we are resetting all user details on @gaana pic.twitter.com/YanYnA0XXA
— Satyan Gajwani (@satyangajwani) May 28, 2015
