Indian music streaming platform Raaga has become the latest victim of a significant cybersecurity incident after sensitive user data was posted for sale on a popular hacking forum in December 2025.
The breach has exposed personal information from over 10 million users, raising serious concerns about account security and the risk of identity theft.
The compromised database contains approximately 10.2 million unique email addresses, along with a range of personally identifiable information.
According to breach disclosure reports, threat actors gained unauthorized access to Raaga’s systems.
They extracted sensitive user records that were subsequently offered for sale on underground cybercriminal marketplaces.
The exposed dataset includes user names, gender information, age data, and in some instances, complete dates of birth.
Additionally, geographic location data, such as postcodes, was compromised, along with user passwords stored as unsalted MD5 hashesa deprecated cryptographic method that security experts consider highly vulnerable to cracking using modern computational techniques.
The use of unsalted MD5 password hashing represents a critical security vulnerability.
MD5 is a legacy hashing algorithm that has been widely discouraged by security professionals for over a decade due to its susceptibility to rainbow table attacks and brute-force decryption.
Unsalted implementations make password cracking significantly easier, as attackers can efficiently reverse-engineer user credentials using pre-computed hash databases.
This password storage methodology suggests potential deficiencies in Raaga’s data protection infrastructure.
It raises questions about the platform’s adherence to modern cybersecurity standards. Users who reuse passwords across multiple online services face a heightened risk of credential stuffing attacks, in which compromised login details are systematically tested against other platforms.
Security researchers advise all Raaga users to take immediate protective action. Users should change their Raaga passwords immediately and update the credentials on any other accounts that use the same password.
Implementing two-factor authentication wherever available adds an essential security layer that can prevent unauthorized access even if passwords are compromised.
Cybersecurity experts recommend adopting password managers to generate and store strong, unique passwords for each online account.
These tools eliminate password reuse vulnerabilities and significantly reduce the risk of credential-based attacks, as reported by haveibeenpwned.
Users should also monitor their email addresses for suspicious activity and remain vigilant against phishing attempts that may leverage the stolen information.
The incident underscores the ongoing challenges facing digital service providers in protecting user data against increasingly sophisticated cyber threats.
Follow us on Google News, LinkedIn, and X to Get Instant Updates ancd Set GBH as a Preferred Source in Google.