)
It all started in the wee hours of Thursday. A netizen codenamed Mak Man announced on his Facebook page that he had hacked the Times group's music download website, Gaana.com.
Mak Man, who claims to be based in Lahore, posted on his page the following message:
"Mak Man
[SQL injection] Gaana.com - http://makman.tk/gaana.php
Alexa rank: 121 (India)
Number of user records in database: 10 million+
Exploit POC: http://makman.tk/gaana.php
POC details: Enter the email address of the user (registered on gaana.com) to get all the details."
About 10 Million Users [SQL Injection] http://t.co/nRoTcb9FGP Exploit POC : http://t.co/qvhi2Wvb7e #gaana #indiatimes pic.twitter.com/0NcbG9nIez
— Mak Man (@themakmaniac) May 27, 2015As Mak Man's online fans started lionising him for his feat, Lahore-based Sajjad Ahmad, who seemed to be Mak Man's accomplice, said in a post, "This is what happens when you don't take bug reports seriously. It's worth mentioning here that the owner of the website was reported several times regarding the vulnerabilities but he didn't fix them because it was too much of work."
Mak Man seems to be of the type that derives pleasure from exposing vulnerabilities in a particular system or network. His Facebook page is full of instances of hacking and jokes about system vulnerabilities are shared.
In December, Mak Man had hacked the website of Pakistan telecommunication authority (PTA). Signing off with "Mak Man was here", the hacker advised the PTA to buckle up or some Indian hackers might hack it and claim credit in the media.
Sometime Thursday afternoon #Gaana started trending on social media, as users started reporting the portal was offline. Some online news reports indicated risks to user data and panic began to set in.
Satyan Gajwani, chief executive of Times Internet, which owns Gaana, stepped in to troubleshoot. In a series of tweets, he explained the situation: "A couple of hours ago, a hacker name MakMan exposed vulnerability in one of our Gaana user databases. Here's where things stand: First of all, we have patched the vulnerability within an hour of its discovery, as MakMan has also acknowledged. No financial or sensitive personal data beyond Gaana login credentials were accessed. No third party credentials were accessed either."
A couple of hours ago, a hacker name MakMan exposed a vulnerability in one of our Gaana user databases. Here's where things stand: 1/n
— Satyan Gajwani (@satyangajwani) May 28, 2015
First of all, we have patched the vulnerability within an hour of its discovery, as MakMan has also acknowledged. 2/n
— Satyan Gajwani (@satyangajwani) May 28, 2015But it was his extraordinary move to reach out to the hackers and seek their help that proved to be the clincher. Addressing Mak Man and Sajjad Ahmad, Gajwani wrote, "Hi, I'm Satyan, CEO of Times Internet, which runs Gaana. First of all, I'd like to apologise personally if you had shared these reports and we didn't respond earlier. Totally unacceptable by us, and I'm looking into it."
He also requested the duo to take down access to the data completely. Then, he made an irresistible offer "And finally, if possible, I'd appreciate if we could hire you as a consultant to help us find any more vulnerabilities across our network so that we can keep our products as secure as possible. If you're interested, message me directly, as I'd be very grateful for your advice."
We've asked Makman if he'd be willing to work with us and help us find any other issues as well. https://t.co/8txhpbKGVc 8/n
— Satyan Gajwani (@satyangajwani) May 28, 2015In response, Sajjad Ahmad said in a post, "Hello Satyan! It's good to see that you took notice of the issue before it was too late. You are right, our intention was not to disclose any private information of the users but to highlight the issue. The vulnerability was reported to the technical head of the website several times but he failed to fix it. Anyhow, the page exposing the information has been taken down permanently. Direct requests from that page were generated to the gaana.com server to extract the information. We assure you no data from the website database was saved anywhere. Mak Man will message you for further discussion."
Soon after, Gajwani tweeted, "The hackers have removed the database from their site #amankiasha". Aman Ki Asha was a campaign run by The Times of India to promote peace and harmony between India and Pakistan.
And the hackers have removed the database from their site. #amankiasha pic.twitter.com/9ZPeS2CJ8a
— Satyan Gajwani (@satyangajwani) May 28, 2015At around 7:30 pm on Thursday, Mak Man said in a Facebook post: "I hereby confirm no financial information was accessed during the hack of Gaana.com... Database was so huge that I didn't even bother looking (Hell .. I didn't even know if it was there :P) ...and no information was dumped and stored locally...not even a single row." He also dismissed fears of data being saved elsewhere or third-party access: "Most news websites/blogs have posted false information about the hack," he said.
Some netizens, however, expressed disbelief. "Maybe you are posting this, as Gaana.com owners asked you to say this to maintain trust and must have offered you a great amount…Well you did your job…Trusting you that data isn't compromised," posted Abhishek Chawla, a student based in Patiala.
Mak Man replied, "Do you even know the size of a DB having 10 million users? It was huge…It would've taken days."
An email seeking comment sent to Gajwani did not elicit an immediate response.
