In what could easily be termed as the most lethal cyber attack in India’s short internet history, one of the most popular online music streaming services, Gaana.com has been hacked by a cyber-attacker based in Lahore who goes by the name Mak Man. He has also uploaded a searchable link of the entire Gaana.com’s user database on his Facebook page.
The hacker also claimed that he has gained access to the back panel of the website and has also posted its screenshots. He has used SQL Injunction technique for the attack on website. The hacked database of users consists of full name, email addresses, passwords, date of birth, Facebook and Twitter profiles, etc.
As per the the database taken over by hacker, Gaana has about 12.5 million registered users for its service. Gaana has currently taken down its website and is working on a patch to fix this exploit.
In a series of Tweets, Satyan Gajwani, CEO of Times Internet, said,
“A couple of hours ago, a hacker name MakMan exposed a vulnerability in one of our Gaana user databases. First of all, we have patched the vulnerability within an hour of its discovery, as MakMan has also acknowledged. No financial or sensitive personal data beyond Gaana login credentials were accessed. No third party credentials were accessed either. As we understand, the data has not been accessed or shared with anyone; MakMan was highlighting the issue, which we’ve recognized. Most of our users’ data has not been compromised, but we’ve reset all Gaana user passwords, so all users have to make new ones.”
In a rare and rather surprising gesture, Satyan Gajwani has asked Mak Men to work with them as a consultant to help them make their products secure. He also said that “security is a major focus for us, and we are further strengthening our user security team.”
The hacker has also removed database of the users from his website on the request of Satyan Gajwani, CEO of Times Internet. So a rare case of ethical hacking after all ?
[Update]
In a tweet, the hacker has confirmed that no financial details of the users were accessed and he has not stored any information locally. As per the hacker, the only reason for hacking Gaana was to highlight the issue which was grabbing information directly from their DBMS.
The hacker also said that nobody was able to grab bulk information through its script as it was protected by CAPTCHA and it has ability to IPs with automated behavior.