Raaga, an India-based music streaming and entertainment platform focused on Indian-language audio content, suffered a data breach in approximately mid-December 2025 when threat actors gained unauthorized access to Raaga's systems and exfiltrated a database containing personal information for over 10.2 million user accounts. The data was subsequently posted for sale on an underground hacking forum. The breach was indexed by Have I Been Pwned on January 19, 2026 and covered by Indian and international cybersecurity media in January 2026. Raaga has publicly confirmed the breach but has not detailed the original compromise vector, the specific vulnerability exploited, or post-breach security improvements.

The breach affected approximately 10,225,145 unique user accounts based on records indexed by breach-tracking services. Compromised fields included names, email addresses, gender information, ages and (in some cases) full dates of birth, postcodes for geographic locations, and passwords stored as unsalted MD5 hashes. The unsalted MD5 password storage represents a particularly severe failure mode because MD5 has been recognized as cryptographically broken for over a decade, and the absence of salting allows attackers to use precomputed rainbow tables to rapidly recover the underlying password values. Modern industry standards including bcrypt, scrypt, and Argon2 have been recommended replacements for over a decade.

For affected users, the practical risk profile is severe and long-lasting because the unsalted MD5 password storage means the original password values can be recovered for many users with only modest computational effort. The combination of name, email address, date of birth, gender, and postcode supports targeted phishing and identity-verification bypass attempts at financial institutions, Indian government services where date of birth and contact information may be used for identity confirmation, and other accounts. Inclusion in the dataset confirms a Raaga subscription or account relationship and may support culturally-targeted phishing referencing Indian music, regional language preferences inferred from listening history, or specific Raaga-platform features. Affected users should change any reused passwords immediately on all other accounts, enable two-factor authentication where available, treat unsolicited contact referencing Raaga or related Indian-language services with caution, and remain alert to phishing campaigns referencing real demographic details that may have been included in the stolen dataset.

Music-streaming platforms collect user accounts, emails, subscription records, listening history, device identifiers, and engagement data tied to audio consumption and recommendation systems.

Raaga has confirmed the December 2025 breach in public statements following the data's appearance on hacking forums in January 2026 and broader industry coverage. The breach has been the subject of significant security-research commentary because of Raaga's use of unsalted MD5 password storage, which has been characterized as a deprecated cryptographic method that the security community abandoned over a decade before the breach. Raaga has not publicly detailed the discovery timeline, the specific vulnerability that enabled the compromise, the timing of user notifications, or post-breach security improvements. The breach is subject to oversight under India's Digital Personal Data Protection Act 2023 (DPDP Act), which carries materially higher potential penalties than earlier Indian data-protection frameworks.