Music streaming platform Raaga confirms data breach exposing personal information of 10.2 million users

Indian music streaming platform Raaga has confirmed a major cybersecurity breach that exposed the personal information of more than 10.2 million users, the company said. The incident, which occurred in December 2025, involved unauthorized access to Raaga’s systems and the extraction of a large user database that was later offered for sale on underground cybercriminal marketplaces.

The compromised dataset contains approximately 10.2 million unique email addresses along with extensive personally identifiable information. Exposed records include usernames, full names, gender information, age data, and, in many cases, complete or partial dates of birth. Geographic location details such as postal codes were also included, creating detailed user profiles that significantly increase the risk of targeted phishing and identity theft.

Investigators determined that threat actors gained access to Raaga’s infrastructure and exfiltrated the data before advertising it to potential buyers on prominent underground hacking forums. The breach timeline indicates the data was taken sometime in December 2025, although the precise date of the initial intrusion has not been disclosed. Raaga has not publicly stated when it first detected the incident or whether affected users were formally notified.

A critical aspect of the breach involves the platform’s password storage practices. The exposed records show that user passwords were hashed using unsalted MD5, a cryptographic method widely regarded as obsolete and insecure. The lack of salting and the inherent weaknesses of MD5 allow modern password-cracking tools to reverse hashes at scale, potentially revealing plaintext passwords within a short period of time.

The exposure of email addresses alongside weakly protected password hashes creates heightened risk for credential stuffing attacks, in which stolen login credentials are tested against other online services. Users who reused the same password across multiple platforms face an increased likelihood of account compromise beyond Raaga.

Raaga has advised users to take immediate steps to secure their accounts, including changing passwords, updating credentials on other services where the same password was used, enabling two-factor authentication where available, and remaining alert to phishing attempts that may exploit exposed personal information. The incident highlights ongoing challenges faced by digital service providers in safeguarding user data amid escalating cyber threats.