Gaana.com hacked using SQL injection vulnerability; details of more than 10 million registered users exposed

A Pakistani hacker, with the acronym, Mak Man, has managed to gain access to more than 10 million registered users of popular music streaming site, Gaana.com by exploiting the SQL injection vulnerability. Details such as username, email addresses, MD5-encrypted password, date of birth, and other personal information has been exposed and made available in a searchable database.

The hacker also posted a screenshot of the SQL exploit he used to get access to the data on Facebook. The hacker claimed that the vulnerability was earlier reported to Gaana.com, but the company ignored it.

Times Internet's CEO, Satyan Gajwani, later apologized to the hacker by replying to the hacker's post on Facebook

"Hi, I'm Satyan, CEO of Times Internet, which runs Gaana.

First of all, I'd like to apologize personally if you had shared these reports and we didn't respond earlier. Totally unacceptable by us, and I'm looking into it.Second, I don't think your intention is to expose personal information about Gaana users, but to highlight a vulnerability. Consider it highlighted, and we're 100% on it. Can I request that you take down access to the data, and delete it completely?

And finally, if possible, I'd appreciate if we could hire you as a consultant to help us find any more vulnerabilities across our network, so that we can keep our products as secure as possible. If you're interested, message me directly, as I'd be very grateful for your advice.

Thanks,

Satyan

Times Internet's CEO then tweeted on Twitter emphasizing that no financial or sensitive information lost. The hacker too has accepted Gajwani's request and has taken down access to the data.