Raaga Breach: 10.2M Accounts — Passwords Exposed

Overview

In December 2025, a threat actor posted for sale on a popular hacking forum a database allegedly belonging to Raaga, an Indian streaming music service. The breach affects over 10.2 million unique user accounts and includes email addresses, names, genders, ages (with some records containing full dates of birth), postcodes, and passwords stored as unsalted MD5 hashes. The data was reported to Have I Been Pwned, allowing affected users to verify their exposure. This breach is critical due to the combination of personally identifiable information (PII) and the use of a severely outdated password hashing algorithm.

What Was Exposed

The leaked database includes:

• Email Addresses: Primary identifiers for account access and phishing targets.
• Passwords (unsalted MD5): Unsalted MD5 is effectively plaintext - it can be cracked instantly against rainbow tables or via GPU-based brute force.
• Names and Genders: Useful for targeted social engineering.
• Ages and Dates of Birth (in some cases): Full DOB is a key component for identity theft and credential-stuffing attacks.
• Postcodes: Adds geographic specificity, aiding phishing or physical fraud.

The absence of salting means any password in the dump is likely recoverable within seconds.

Account Takeover Risks

Because MD5 hashes are trivially crackable, the primary risk is account takeover. Attackers can recover passwords and attempt to access:

• Raaga accounts directly (any account set to the same password).
• Other services where users reused the same email and password combination - a common practice.

With email addresses and passwords in hand, threat actors can also launch credential-stuffing attacks against banking, social media, and email platforms. The inclusion of birth dates and postcodes further enables password-reset social engineering on other accounts.

How the Breach Happened

While Raaga has not publicly detailed the attack vector, the sale on a hacking forum suggests the data was exfiltrated from their servers - likely via a compromised API endpoint, SQL injection vulnerability, or an insider threat. The use of unsalted MD5 indicates the password storage was never updated to modern standards, such as bcrypt or Argon2, meaning defenses were weak at a fundamental level. The breach appears to have gone undetected until the data was offered for sale.

How to Check If You’re Affected

Raaga users can check if their data is exposed by visiting Have I Been Pwned. Simply enter your email address; if it appears in the breach, you will see the Raaga entry listed. You can also search your email across all breaches using the site’s global search function.

What to Do Right Now

If your email is in the breach:

1. Change your Raaga password immediately - assume it is compromised.
2. Change passwords on any other accounts where you used the same or similar password.
3. Enable two-factor authentication (2FA) on all accounts that support it, particularly email and financial services.
4. Watch for phishing emails - attackers may target you with Raaga-themed phishing or impersonation attempts.
5. Freeze your credit if your full date of birth and postcode were exposed, as this combo is sufficient for synthetic identity fraud.

Security Insight

This breach demonstrates a critical failure in password storage hygiene. Unsalted MD5 has been considered insecure for over a decade, yet a major streaming service with millions of users relied on it in 2025. For comparison, the 2023 cybersecurity news coverage of similar breaches at Indian firms showed that unsalted hashing is still alarmingly common in the region’s legacy infrastructure. Raaga’s users paid the price for outdated security practices - a lesson every organization should heed: verify your password hashing algorithm today, not after a breach.

Further Reading

• All Critical Breaches
• Recent Data Breaches