Gaana.com Gets Hacked By Pakistani Hacker, Leaves 12.5M User Accounts Untouched
Times Internet, which claims to be the largest Indian online group with a combined pageviews count of 6.5 billion every month, was humbled and exposed by a Pakistani hacker from Lahore. This hacker, who calls himself Mak Man, hacked into the database of Gaana.com, which is Times Internet’s commercial music streaming service, available in 21 languages.
The intentions of Mak Man were not bad, as no database was stolen or exposed; and no financial data was compromised. Also, according to him, he had contacted Times Internet, but he did not get any response and hence made the information public.
This hacking was done to showcase the vulnerability and weak security features of one of the largest Internet companies from India.
After the hack was performed, Mak Man issued this statement on this Facebook account:
How It Happened?
Using SQL injection based exploit, Mak Man hacked into the enormous database of Gaana.com, which gets 75 lakh monthly visitors and has 12.5 million registered users as of now.
After hacking into this database, he posted images on his Facebook account, wherein he had also shared a link created on his website which acted as a proxy resource to access all Gaana.com account details.
As per media news, any visitor could have entered Gaana.com user’s email address, and the sensitive data such as full name, date of birth, Facebook and Twitter accounts along with MD5-hashed password were spit out.
This proxy page has now been deleted, and this information is currently being shown:
Times Internet Responds
Later in the day, Satyan Gajwani, CEO of Times Internet acknowledged that this hack had actually happened, but assured all users that no details were stolen. He Tweeted:
No financial or sensitive personal data beyond Gaana login credentials were accessed. No third party credentials were accessed either. 3/n
— Satyan Gajwani (@satyangajwani) May 28, 2015
“No financial or sensitive personal data beyond Gaana login credentials were accessed. No third party credentials were accessed either”
He also said that access details of all the users are being updated and security made more robust.
Why Did This Hack Happen?
When a Twitter used asked this question to Satyan, he said that the SQL injection was performed on a developer API, which was not in use; and was obsolete. Hence, it was ‘missed’ by their security team, which resulted in the hack.
SQL Injection is no doubt one of the most common and lethal attacks to compromise a website or portal. But considering that Times Internet is counted among India’s top web services, this glitch in security is alarming.
As mentioned earlier, Mak Man had no evil intentions of misusing the data; if he had, then he could have exported all user details and the information would have reached the dark, underground belly of Internet within minutes, fetching him a fortune.
We hope and expect that Times Internet revamps their security protocols and checks, and save their user’s precious data. Not every hacker is like Mak Man!