Indian music streaming service Ganaa hacked, site yanked offline
Frustrated 'white hat' reportedly went large after being ignored
Service has been suspended, and passwords reset, following a hack against Indian music streaming service Ganaa.
Ganaa detailed its response to the newly-discovered security breach in a series of updates to its official Twitter feed.
We have temporarily removed access to our website and app as a vulnerability in one of our Gaana user databases was exposed.
No financial or sensitive personal data beyond Gaana login credentials were accessed. No third party credentials were accessed either.
Most of our users' data has not been compromised, but we've reset all Gaana user passwords, so all users have to make new ones.
The service added that it intends to bolster security in the wake of the breach.
Gaana is one of the top music streaming sites in India and boasts more than 7.5 million monthly users. According to local reports, it was hit by a Pakistan-based hacker called Mak Man who subsequently posted screen shots of Gaana data revealing not only the login details of users but passwords and other private details.
However, an update to the official Gaana Twitter feed implies that the whistleblower only posted the information after reporting it to Ganna and failing to get it to fix a problem he'd discovered.
Frustrated by Ganaa's stance, the supposedly well-intentioned individual published leaked data to prove there was an issue. It was only at this point that Ganaa acted, resetting user passwords and temporarily disabling access to the site, which remains unavailable at the time of writing on Thursday afternoon.
The hacker quickly pulled his proof of concept (problem) leak sample site but that still left the possibility that other, less well-intentioned individuals might already have snaffled the data. Such data leaks are useful for malicious hackers because of the widespread practice of password re-use between multiple sites.
Trey Ford, global security strategist at Rapid7, the firm behind Metasploit, commented that the upshot of the incident was that Ganaa had been pushed into fixing the problem.
"Companies that aren’t accustomed to receiving bug reports from outside the company tend to respond in a variety of ways; this can be frustrating for researchers. I think the hope for any security researcher is to see a reported vulnerability fixed before something bad happens to the website or users. In this case, it looks like Gaana.com may have been pressured into acknowledging and acting on this vulnerability."
"It sounds like Gaana.com is taking the right steps by forcing a password reset for their users, and all the normal guidance applies: if people are using their Gaana.com password anywhere else, they need to go change that password on other sites to something unique before their account is accessed," Ford concluded.
The story about Ganaa's breach was first reported by The Next Web. ®