What Happened
In December 2025, specifically around December 15, the Indian music streaming platform raaga.com suffered a major data breach when threat actors gained unauthorized access to its systems, exfiltrating a database containing personal information from 10.2 million (precisely 10,225,145) user accounts, which was then posted for sale on underground hacking forums. The exposed data included unique email addresses, full names, usernames, genders, ages, partial or full dates of birth, geographic locations such as postcodes, and critically, passwords stored using the outdated and vulnerable unsalted MD5 hashing method, enabling rapid cracking via rainbow tables and heightening risks of phishing, identity theft, and credential stuffing attacks. Raaga confirmed the incident but has not publicly detailed discovery timelines, notifications to users, or post-breach security fixes, prompting experts to urge affected users to immediately change passwords, enable two-factor authentication, monitor accounts, and avoid password reuse.
