Major Indian Music Streaming Service Gaana Gutted

A hacker copied a database containing details on more than 12.5 million registered users, and posted a searchable version of the system online.

The attacker, who goes by the moniker Mak Man and appears to be based in Lahore, Pakistan, created a link to the data dump and shared it on his Facebook page.

“Enter a user’s email address and it spits out their full name, email address, MD5-hashed password, date of birth Facebook and Twitter profiles and more,” The Next Web reports.

Mak Man appears to have entered Gaana’s infrastructure by exploiting a vulnerability in at least one of its systems.

Mak Man also posted images of the service’s admin panel.

Any password changes made by victims would have shown up on the live database.

After the news broke on May 27, Gaana, which is owned by Times Internet, took the site offline and the public database ceased returning results.

According to Pranesh Prakash, policy director at Center for Internet and Society in Bangalore, the MD5 hashing algorithm which appears to have been used for securing passwords is not very strong and could easily be unscrambled to see the plain-text version of the data.

Update:

The hacker has put up the following message:

“The vulnerable parameter I was using here, has been patched by the Admin
Now the question is, Was this the only vulnerable parameter I had .. ? ;)”

Times Internet CEO Satyan Gajwani tweeted that only login credentials were accessed and no financial or sensitive personal data was leaked.

The attack was the hacker’s way of highlighting Gaana’s vulnerability.