Full Report
In December 2025, data allegedly breached from the Indian streaming music service "Raaga" was posted for sale to a popular hacking forum. The data contained 10M unique email addresses along with names, genders, ages (in some cases, full date of birth), postcodes and passwords stored as unsalted MD5 hashes.
Analysis Summary
# Incident Report: Raaga Streaming Service Data Leak (Dec 2025)
## Executive Summary
In December 2025, a significant data breach impacting the Indian streaming music service "Raaga" occurred, resulting in the exfiltration of personal user data. The compromised data, containing 10 million unique records, was subsequently posted for sale on a public hacking forum. The immediate impact is high risk due to the presence of user passwords stored in weak, unsalted MD5 hashes.
## Incident Details
- Discovery Date: January 19, 2026 (Date added to HIBP, marking public awareness/confirmation)
- Incident Date: December 2025 (Date the breach allegedly occurred/data was exfiltrated)
- Affected Organization: Raaga (Indian streaming music service)
- Sector: Media/Entertainment (Streaming Music)
- Geography: India (Assumed based on customer base)
## Timeline of Events
### Initial Access
- Date/Time: Sometime in or prior to December 2025
- Vector: Undisclosed initial compromise vector (Suspected system vulnerability or credential compromise leading to unauthorized access).
- Details: Attackers gained access to the database containing user PII and credential material.
### Lateral Movement
- Details: Not explicitly detailed in the report, but necessary to access and extract the full dataset.
### Data Exfiltration/Impact
- By December 2025 (or shortly thereafter): Approximately 10 million unique user records were exfiltrated. The data, including names, emails, PII, and passwords (as unsalted MD5 hashes), was posted for sale on a popular hacking forum.
### Detection & Response
- Date/Time: January 19, 2026 (Public discovery via breach notification/listing service).
- Response actions taken: Public recommendations focused on user remediation (password changes, 2FA enablement). No organizational incident response actions were detailed in the provided summary source.
## Attack Methodology
- Initial Access: Unknown (Inferred vulnerability exploitation or misconfiguration).
- Persistence: Unknown.
- Privilege Escalation: Unknown.
- Defense Evasion: Unknown.
- Credential Access: Direct database extraction was achieved, leading to the capture of password hashes.
- Discovery: Unknown.
- Lateral Movement: Unknown.
- Collection: Querying and extracting user tables containing PII and credential data.
- Exfiltration: Data uploaded or transmitted off-network and subsequently posted for sale on a hacking forum.
- Impact: Sensitive personal data disclosure and credential compromise.
## Impact Assessment
- Financial: Unknown, potential regulatory fines and remediation costs.
- Data Breach: **10 Million unique records.** Included: Email addresses, Names, Genders, Ages, **Full Dates of Birth (in some cases)**, Postcodes, and Passwords stored as **unsalted MD5 hashes**.
- Operational: No information on business disruption, but service credibility likely damaged.
- Reputational: High negative impact due to the large scale of the leak and the severity of the hash storage method.
## Indicators of Compromise
* **Note:** No specific IoCs (IPs, domains, hashes) were provided in the source text.
- Behavioral indicators: Sudden, large-scale outbound data transfer from database servers; unusual database query patterns preceding the leak.
## Response Actions
- Containment: Not detailed. (Assumed necessary steps would include isolating compromised systems and resetting credentials/application secrets).
- Eradication: Not detailed. (Assumed system re-imaging/hardening).
- Recovery actions: Not detailed. (Remediation appears externally focused on advising users).
## Lessons Learned
- **Critical Failure in Hashing:** The storage of passwords using **unsalted MD5 hashes** represents a critical security failure, allowing attackers immediate credibility to sell the data and users immediate risk of credential stuffing attacks against other services.
- **Data Minimization:** Excessive collection of sensitive PII (e.g., full DOB) increased the scope of the breach impact.
## Recommendations
- **Immediate Remediation:** All users must immediately change passwords utilized on Raaga across all other platforms. Enable Multi-Factor Authentication (MFA/2FA) everywhere feasible.
- **Password Hashing Upgrade:** Migrate all user password storage from MD5 to modern, slow, salted iteration functions (e.g., Argon2 or bcrypt).
- **Data Retention Review:** Audit and minimize the collection and retention of sensitive PII (like full dates of birth) unless absolutely necessary for service functionality.
- **Access Monitoring:** Implement enhanced monitoring and alerting for mass data queries or anomalous database exports.