Raaga Breach: 10.2M Accounts — Passwords Exposed

Overview

In December 2025, a significant data breach impacted the popular Indian music streaming service, Raaga. A dataset containing the personal information of over 10 million users was stolen and subsequently offered for sale on a prominent hacking forum. The exposure of sensitive personal details, combined with weakly protected passwords, makes this a critical security incident for anyone who has ever used the service.

What Was Exposed

The stolen data is extensive and includes several key pieces of personal information for each affected account. The confirmed exposed data includes:

• Email Addresses: The primary contact and login identifier.
• Names and Genders: Basic personal identification details.
• Passwords: These were stored using an outdated and weak method known as an unsalted MD5 hash. This is akin to locking a door with a basic, easily picked lock, making it relatively simple for criminals to convert these hashes back into the original plaintext passwords.
• Additional Personal Data: For many users, the breach also included ages, full dates of birth, and postcodes. This combination of information is particularly sensitive.

Potential Impact

The exposure of this data creates multiple serious risks for victims. The primary danger is account takeover. Since many people reuse passwords across multiple websites, criminals can use the cracked Raaga passwords to attempt to log into your email, social media, banking, or shopping accounts. This is the most immediate threat.

Secondly, the combination of your name, date of birth, email, and postcode provides a powerful toolkit for targeted phishing attacks. Scammers can craft highly convincing emails pretending to be from banks, government agencies, or other trusted entities, using your real details to gain your trust. This information can also be used for identity fraud or sold to other cybercriminals on the dark web.

Recommendations

If you have ever had a Raaga account, you must take immediate action to protect yourself.

1. Change Your Raaga Password Immediately: Log into your Raaga account and update your password to a new, strong, and unique one. Do not reuse a password from any other service.
2. Change Passwords on Other Accounts: If you used the same or a similar password for Raaga on any other website (especially email, social media, or financial accounts), change those passwords immediately as well.
3. Enable Two-Factor Authentication (2FA): Wherever possible, especially on your primary email account, enable 2FA. This adds a critical second layer of security, like a code sent to your phone, that stops hackers even if they have your password.
4. Be Vigilant Against Phishing: Be extremely cautious of unsolicited emails, texts, or calls asking for personal information or directing you to click on links. Verify the sender’s authenticity independently before responding.
5. Monitor Financial Statements: Keep a close eye on your bank and credit card statements for any unauthorized transactions.

How to Check If You’re Affected

The breach has been verified and documented by the reputable service “Have I Been Pwned.” You can easily check if your email address was involved in this or any other known breach.

• Visit haveibeenpwned.com.
• Enter your primary email address(es) into the search bar.
• The site will show you if your data was found in the Raaga breach. You can view the specific details of this incident here: https://haveibeenpwned.com/Breach/Raaga.

Taking these steps promptly is the best way to secure your accounts and personal information following this breach.