Indian music streaming service Gaana.com was hacked by a netizen named Mak Man on Thursday, 28 May. The streaming service with 10 million users belongs to Times Internet. After hacking the website, the hacker aka Mak Man shared the news on Facebook, reported Business Standard.
Interestingly, the CEO later offered the hacker a job at Gaana.com to help find other issue on the website. After hacking the website, ‘Mak Man’ shared the news on Facebook, according to Business Standard, and wrote: “Mak Man
[SQL injection] Gaana.com – http://makman.tk/gaana.php
Alexa rank: 121 (India)
Number of user records in database: 10 million+
Exploit POC: http://makman.tk/gaana.php
POC details: Enter the email address of the user (registered on gaana.com) to get all the details.”
— Satyan Gajwani (@satyangajwani) May 28, 2015
So how exactly did Khalid gain access to Gaana.com’s servers? He says the vulnerability was SQL injection. Simply put, it’s a bug in the website’s code that occurs when an input parameter from the client side has not been properly sanitised, allowing a hacker to execute SQL (Structured Query Language) code at the website’s back-end DBMS (Database Management System).
“In this particular case (Gaana.com), there was a user table in the database which had almost 12 million records. This table had all the usernames, email addresses, passwords (MD5 encrypted), date of birth, Facebook IDs, Twitter IDs and other financial information,” said Khalid, in an email to us.
While he claims he didn’t steal or download any of the information, Khalid says it was easily within his grasp, although it would’ve taken a few days given the sheer quantity.
How to Protect Data:
- Never use the same password for multiple online accounts
- Don’t click on unknown links or URLs while online
- Keep your system and your antivirus software up to date.
- Make sure that when you’re entering your financial details into any online portal, it’s a legitimate organisation, and one you can trust.
And his efforts seem to have paid off. Times Internet CEO Satyan Gajwani came out on social media, owning up for the goof and thanking the then anonymous Mak Man for his efforts. The hole has since been patched, and Gaana.com was offline for a few hours last evening as they carried out extensive diagnostic tests to uncover any further flaws. At Gajwani’s request, Khalid also took down the script he had hosted on his website.