ZEE5 allegedly hacked by 'Korean hackers', customer info at risk

June 8, 2020


A hacker identifying themselves as "John Wick" and "Korean Hackers" claim to have breached the systems for Indian video on demand giant ZEE5 and are threatening to sell the database on criminal markets.

ZEE5 is an Indian streaming service with over 150 million subscribers worldwide and is part of the Essel Group conglomerate, the same company that owns ZEE news media outlets and TV channels.

Earlier this year, a paste floating on the web exposed credentials of some 1,023 Premium ZEE5 accounts. After reporting these accounts to ZEE5, they were quick to respond, but we are not aware of notifications sent to affected accounts.

Hackers claim to have breached Zee5.com

Now, Kanishk Tagade of Quickcyber has reached out to us, revealing extensive details about a massive data breach that appears to has allegedly hit the video streaming giant. 

In an email threat sent to Tagade, editors of major Indian newspapers, and employees of ZEE5, a hacker claiming to be "Korean Hackers" warned that they have breached Zee5.com and stolen a database with sensitive information.

They then threaten that they "will expose your database & code in public for open sale soon."

Email sent from alleged hackers
Email sent from alleged hackers

The hacker(s) going by the name of "John wick" further list what all they’d be revealing: "data, recent transactions, passwords, emails, mobile numbers, email id, messages, etc…"

A point to note here: the term "email id" used in the thread is used mainly in the Indian subcontinent to refer to an email address.

In emails with BleepingComputer, the hackers state that they mostly "help these people to fix the bugs" and request Ethereum for their help.

"We are security experts from Korea, We will find bugs and report to the clients if they do not respond we try to make money, We have hacked more 50 Big websites we never sold anything," the threat actors told BleepingComputer.

The threat actors have stated that they are in conversations with ZEE5 and are asking for a minimum of a 10 Ethereum "donation"for their help.

As for the threat actors, whether or not they are from Korea cannot be confirmed.

As they are using the Tutanota email service, which provides private and encrypted mailboxes and a webmail interface, there’s no reliable way to trace the email back.

The hckindia@tutanota.com email used by the hackers was previously seen in defaced sites claiming to have been done by "Korean Hackers."

Defaced site

Defaced site

Allegedly stolen data

When the hackers contacted Tagade, they stated that they downloaded 150GB of "private data" from Zee5.com, including the site's source code, and plan on selling it soon.

As part of the proof given to Tagade, they shared images of a repository on bitbucket.org containing the stolen information.

Bitbucket showing allegedly stolen data
Image credit: Quickcyber.news 

The URL for the Bitbucket repository is "restricted" to the public and prompts you to log in.

Private Bitbucket repository
Private Bitbucket repository

To make matters worse, these hackers have posted partial data from the compromised database, secret keys present in the live source code, references to their Atlassian board, and AWS bucket credentials. They claim to have access to user data from almost every Indian state.

Alleged Zee5 data in a stolen database
Image credit: Quickcyber.news

The leaked records contain private information on the subscribers including recent transaction data, email addresses, mobile phone numbers, passwords, etc. and multiple screenshots shared by the hackers verify proof-of-access to such records:

SQL structure of database hosted on the AWS bucket
Image credit: Quickcyber.news :

Below you can see a picture of the alleged source code for Zee5.com that the hackers claim they have stolen.

folders with source code and other sensitive information
Image credit: Quickcyber.news :

Was Dish TV compromised too?

One of the screenshots, shown below, also has "dish-tv" network drive on the list, which is noteworthy as Essel Group, who owns ZEE, also owns the satellite TV company, Dish TV.

Could this mean the hackers also had access to Dish TV customer information?

Image showing dish-tv folder
Image showing dish-tv folder

There’s also the "dittotv-databases-backup" folder. DittoTV was the former video-on-demand arm of the service.

Further investigation is in progress, and at this time, ZEE5 has not replied to Tagade or us for comment.

In a statement shared with IANS, Tushar Vohra, Head Technology at ZEE5 India has acknowledged seeing some reports of data breach:

"We are investigating it further. We are also cognizant of the fact that the OTT sector has exploded in the past few years, so has hackers' interest in it. Especially post COVID-19 outbreak, data hacks have been on a steady rise. It is a shallow attempt to gain vested interests," Vohra explained.

"ZEE5’s backend is built with state of the art technology which is robust and strong, and we will continue to invest aggressively in technology, partnering with some of the leaders in security measures including Akamai, AWS (Amazon Web Services) to safeguard users'' data and to ensure it is never compromised," he added.

Under Indian law, while a Personal Data Protection Bill 2019 was introduced, it is still under analysis and not been fully legislated. There’s no mention of fines or penalties in the bill either.

Lack of sufficient data protection legislation and privacy laws in India may very well allow big corporations to suffer data breaches and not report them without risk of fines.

This is a developing story. Please check back for more updates.

Update 6/7/20: Added statement from Tushar Vohra, Head Technology at ZEE5 India.

Read the original article and additional information at Cyware Social