Last updated 1 month ago
In December 2025, the Indian music streaming service Raaga experienced a data breach involving over 10.2 million user accounts. The compromised dataset was offered for sale on a popular hacking forum, indicating external discovery and disclosure of the incident. The breach exposed a substantial portion of Raaga's user base, representing one of the larger consumer data exposures in the Indian technology sector during this period.
The attack resulted in unauthorized access to Raaga's user database, leading to the exfiltration of personally identifiable information including email addresses, names, genders, ages, and in some cases full dates of birth. The data also included geographic identifiers in the form of postcodes and authentication credentials stored as unsalted MD5 hashes, representing a significant security vulnerability due to the weak cryptographic protection of sensitive password data.
No post-incident developments regarding regulatory actions, litigation, ransom payments, or remediation milestones were confirmed in the available information. The breach notification appears to have occurred through the public sale of data rather than through formal organizational disclosure channels.
Data posted for sale on a hacking forum
The Raaga breach demonstrates critical failures in password storage security through the use of unsalted MD5 hashing, an outdated and cryptographically weak method that enables rapid password recovery attacks. The exposure of comprehensive personal data including dates of birth and postcodes alongside email addresses creates significant identity theft and credential stuffing risks, particularly concerning for a consumer-facing streaming service with millions of users. The incident highlights the necessity for technology companies to implement modern password hashing algorithms and conduct regular security assessments of authentication systems.
Sign in to join the discussion.
Company
Industry
Location
Disclosed
Records Affected
Attack Vector