Indian online music streaming service Gaana.com has been hacked. More than 10 million users information is now available online to access.
Hacker has also added a deface page saying, “The vulnerable parameter I was using here, has been patched by the Admin
Now the question is, Was this the only vulnerable parameter I had .. ? ;)”.
The hacker, who is on facebook as Mak Man is seems to be from Lahore, Pakistan. He posted a link to a searchable database of Gaana.com user details. You can enter the email address of any user and get access to his profile data including MD5-encrypted password, date of birth, Facebook and Twitter profile users name and more.
Hacker exploited the SQL injection attack of the Gaana.com website. By exploiting this vulnerability, he scraped all the user records. Not only the user info, he also got access to the backend of Gaana.com portal. He also posted snapshots of backend.
At the time of writing this post, Time Internet has taken down the Gaana.com website. Website is showing that it is down for maintenance.
[UPDATE]: The hacker has taken down the page which allowed other people to access to access Gaana.com’s user details from his website after the Times Internet CEO asked him to do this and ask for cooperation in this issue.It is really surprising that people who manage the security of Gaana.com are too lazy to fix the issue already reported by the hacker few days back. They knew the vulnerability but ignore. This is the reason why hacker took this step to have the attention of the world on this findings.
If you are Ganna.com user and use the same password for your other accounts, we advise you to change all your passwords now.