In an exclusive story reported about a month ago and on no other mainstream media outlet, credentials of some Premium accounts were found floating on the web. These user accounts belong to the popular video-on-demand streaming service, . on my blog 1,023 ZEE5 The origins of the incident date back to April 12th 2020, when a new titled, “Zee5 Premium” ( ) emerged on revealing email addresses and of some Premium users The discovery was brought to light by notifications having been sent out by the data breach monitoring service, , which had likely detected the newly published automatically and messaged its subscribers (and its subscribers). data set archived here Pastebin full plaintext passwords . HaveIBeenPwned paste , only Naturally, surprised to see this on HaveIBeenPwned with no public report by any news outlet, and a total lack of correspondence from ZEE5, I reached out to ZEE5's support staff on April 15th, to request them to pass these findings on to the appropriate teams so they could investigate. They were quick to respond to the support request, even during the COVID-crisis times (which is respectable), and acknowledged they had passed the findings to the "the relevant team for their review." They further added, "[We] appreciate your time & patience in the interim. We'll update you once we hear from them." To this date, however, there's no record of an email having been sent out to impacted ZEE5 customers, advising them to change their passwords, or a public statement acknowledging the data incident. Not to forget, if this was a case of data breach ( ), ZEE5's negligence in storing , without use of any hashing or salting is problematic, we don't know yet passwords in plaintext if this is indeed what happened. It is not exactly known if this was a leak, a breach, or a classic case of credential stuffing... ...that is, the party behind the set had corroborated an set of creds. from elsewhere against ZEE5's servers in an automated fashion, and published the ones that worked. This is plausible. already-compromised But semantics don't change the importance, or seriousness of these findings. At the very least, ZEE5 could have automatically reset passwords of the impacted accounts. Moreover, the content of the is rather interesting in how it reveals the origins of the user's premium plan (e.g. promotional offers), the expiration date of the plan, along with the auto-renewal setting; almost as if it's been pulled from an API, post successful authentication. paste Their authentication REST API endpoint is rather dumb simple: https: //userapi.zee5.com/v1/user/loginemail?email=FAKE@example.com&password=testttt A failed authentication attempt returns the JSON message: { : , : } "code" 2120 "message" "The email address and password combination was wrong during login." Whereas, a successful login returns a beautiful token eventually granting access to the user's account: { : } "token" "eyJhbGc....8IND4sZBNpMLMQ" In times, where , there does not appear to be a hard limit on the number of requests that can be made to ZEE5's API, or any additional captcha-style security roadblocks to prevent automated login attempts. APIs are increasingly falling prey to credential stuffing The multi-language video streaming company claims to serve , according to some sources The company delivers video content over multiple platforms — the web, smart TVs, mobile apps, etc. One would assume an operation of this scale would take security incidents seriously. over 190 countries, with a member base exceeding a whopping 150 million . ZEE5 falls under the corporate umbrella of massive , the powerful conglomerate behind numerous Indian television, entertainment and news channels, and with significant ownership in . Essel Group Dish TV That does not exempt Essel or ZEE5 from the corporate responsibility of ethically catering to its customers. My motivation behind writing this piece stems from an ethical standpoint. I believe ZEE5 users impacted by the breach be informed that their credentials were compromised at some point, and that they should change their password - not only on ZEE5, but anywhere else they've used it. And this is something the company has not done yet, which puts both their customers and reputation at risk. must How to protect yourself? First things first, change your ZEE5 password immediately, whether your email address appears on or not. You may head straight to to see if you’re impacted by this incident, should the list be no longer available. the list HaveIBeenPwned If this was a case of data breach and not credential stuffing, there remains a small possibility that ZEE5 is inadvertently continuing to store even newly set passwords in plaintext. My advice in such a case is to set a strong but new password and not use it on any other site. Also, remove any overly personal information from your account — and if at all possible, request your account to be deleted permanently. disposable Remember, also, to change your password on any other website where you’ve used the same email address and password combination, as for your ZEE5 account. © 2020. ( ). All Rights Reserved. Ax Sharma Twitter
