Raaga 2025 Data Breach

Raaga Indian Music Streaming Platform Breach (2025): 10.2 Million User Accounts Including Passwords & DOB Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

StreamingMusicAgeDate of BirthEmail AddressFull NameGenderGeographic LocationPassword
Moderate SeverityWebsite / service breach

Raaga Indian Music Streaming Platform Breach (2025): 10.2 Million User Accounts Including Passwords & DOB Exposed

Music streaming and entertainment platform focused on Indian content.

Verified by ObscureIQ Intelligence
54/100Breach Risk Index
10Data Value
60Market Recency
98dSince Breach

Breach Intelligence Summary

Entity: Raaga · Actor: Unknown · Sources: 2 references
Attack: Unknown
Profile: Platform · Music streaming services · Digital audio platform · India / Global
Timeline: Breach (2025-12-15) · Indexed (Jan 19, 2026) · Year (2025)
Exposure: 10.2M records · 7 fields: Age, Date of Birth, Email Address, Full Name, Gender, Geographic Location, Password
Status: Confirmed

Executive Summary

Raaga, an India-based music streaming and entertainment platform focused on Indian-language audio content, suffered a data breach in approximately mid-December 2025 when threat actors gained unauthorized access to Raaga's systems and exfiltrated a database containing personal information for over 10.2 million user accounts. The data was subsequently posted for sale on an underground hacking forum. The breach was indexed by Have I Been Pwned on January 19, 2026 and covered by Indian and international cybersecurity media in January 2026. Raaga has publicly confirmed the breach but has not detailed the original compromise vector, the specific vulnerability exploited, or post-breach security improvements. The breach affected approximately 10,225,145 unique user accounts based on records indexed by breach-tracking services. Compromised fields included names, email addresses, gender information, ages and (in some cases) full dates of birth, postcodes for geographic locations, and passwords stored as unsalted MD5 hashes. The unsalted MD5 password storage represents a particularly severe failure mode because MD5 has been recognized as cryptographically broken for over a decade, and the absence of salting allows attackers to use precomputed rainbow tables to rapidly recover the underlying password values. Modern industry standards including bcrypt, scrypt, and Argon2 have been recommended replacements for over a decade. For affected users, the practical risk profile is severe and long-lasting because the unsalted MD5 password storage means the original password values can be recovered for many users with only modest computational effort. The combination of name, email address, date of birth, gender, and postcode supports targeted phishing and identity-verification bypass attempts at financial institutions, Indian government services where date of birth and contact information may be used for identity confirmation, and other accounts. Inclusion in the dataset confirms a Raaga subscription or account relationship and may support culturally-targeted phishing referencing Indian music, regional language preferences inferred from listening history, or specific Raaga-platform features. Affected users should change any reused passwords immediately on all other accounts, enable two-factor authentication where available, treat unsolicited contact referencing Raaga or related Indian-language services with caution, and remain alert to phishing campaigns referencing real demographic details that may have been included in the stolen dataset.

ObscureIQ assessment: Primary risks include account takeover, phishing, and interest-based profiling. Listening behavior can also reveal language, culture, and identity signals that improve targeting.

Breach Impact

The institutional impact on Raaga is significant given the breach's scale, the platform's regulatory exposure under India's DPDP Act, and the security-community concerns about the deprecated cryptographic practices documented in the leaked dataset. Raaga has confirmed the breach but has not detailed remediation measures or notification practices. The reputational impact concentrates within the Indian music streaming category, where Raaga has historically been one of several major regional music streaming brands. The case has been widely cited in Indian and international cybersecurity coverage as illustrating systemic password-storage and cybersecurity weaknesses at consumer streaming platforms in emerging-market markets, alongside other 2024-2026 streaming-platform breaches.

About Raaga

Raaga is an India-based music streaming and entertainment platform focused on Indian language content including Hindi, Tamil, Telugu, Malayalam, Kannada, Bengali, Punjabi, and other regional Indian language music. Headquartered in India and operating globally at raaga.com, the platform serves a substantial international user base including the Indian diaspora across North America, Europe, the Gulf region, and Southeast Asia. As an account-based music streaming platform, Raaga maintains user account data including names, email addresses, demographic information, geographic location, listening history, subscription billing records, and login credentials tied to audio consumption and recommendation features.

Why They Hold Your Data

Music-streaming platforms collect user accounts, emails, subscription records, listening history, device identifiers, and engagement data tied to audio consumption and recommendation systems.

Recent Developments

Raaga has confirmed the December 2025 breach in public statements following the data's appearance on hacking forums in January 2026 and broader industry coverage. The breach has been the subject of significant security-research commentary because of Raaga's use of unsalted MD5 password storage, which has been characterized as a deprecated cryptographic method that the security community abandoned over a decade before the breach. Raaga has not publicly detailed the discovery timeline, the specific vulnerability that enabled the compromise, the timing of user notifications, or post-breach security improvements. The breach is subject to oversight under India's Digital Personal Data Protection Act 2023 (DPDP Act), which carries materially higher potential penalties than earlier Indian data-protection frameworks.

Data Points Exposed

7 verified field types
Age
Date of Birth High
Email Address
Full Name High
Gender
Geographic Location
Password Critical

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:Critical
Primary downstream threats:
  • Credential stuffing against reused passwords across other platforms
  • Identity verification bypass using name + date of birth combination
  • Targeted phishing campaigns using exposed email addresses
  • Doxxing risk from physical address exposure
Threat vectors:
  • Profile enrichment
  • Identity verification bypass
  • Phishing, credential stuffing & account takeover
  • Name-based social engineering
  • Pattern-of-life analysis & physical surveillance
  • Credential stuffing & account takeover

Recommended Actions

If you believe your information may be included:

Change Reused Passwords
Update this account and anywhere you reused the password; use a manager.
Password manager guide
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the Raaga breach?

Raaga, an India-based music streaming and entertainment platform focused on Indian-language audio content, suffered a data breach in approximately mid-December 2025 when threat actors gained unauthorized access to Raaga's systems and exfiltrated a database containing personal information for over…

What data was exposed?

Verified fields include Age, Date of Birth, Email Address, Full Name, Gender, Geographic Location, Password.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
Have I Been Pwned
Record & field corroboration
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation