One of India’s most popular music streaming services, Gaana, was pulled offline after a hack resulted in a leak of data affecting more than 10 million users, reports SC Magazine.
The hacker was able to exploit an SQL injection vulnerability, giving access to users’ login data. However, writing on Twitter, Satyan Gajwani – the CEO of Times Internet, the company that owns Gaana – explained that sensitive personal data, financial information and third-party login credentials were untouched.
The Next Web reports that the website was down for a period while the vulnerability was fixed, but that for a time, a searchable database was online revealing mote than 12.5 million users registered on Gaana. The report adds that entering an email address would reveal a full name, MD5-hashed password, date of birth, Facebook and Twitter profiles, and more.
At the time of writing, the site is back online, but has reset the passwords of all its users. Hacker News reports that the hacker – who goes by the nickname of ‘Mak Man’ – claimed to have reported the exploit to Gaana before, only to get no response. As The Register explains, “the supposedly well-intentioned individual published leaked data to prove there was an issue. It was only at this point that Ganaa acted, resetting user passwords and temporarily disabling access to the site.”
International Business Times of India has since reported that Gajwana again took to Twitter, to reveal he had approached the hacker to work with the company to expose possible vulnerabilities, and avoid future breaches.