Note: A part 2 to this with additional information exists on Hacker Noon.
EXCLUSIVE.
A new data set (archived copy) titled, “Zee5 Premium” published on April 12, reveals some 1,023 email addresses and full plaintext passwords of Premium user accounts associated with the online streaming service, Zee5. The discovery was brought to light today, thanks to the notifications sent out by the data breach monitoring service, HaveIBeenPwned, which likely automatically detected the newly published paste.
The multi-language video streaming company claims to serve over 190 countries, with a solid member base exceeding a whopping 150 million. The company delivers video content over multiple platforms — the web, smart TVs, mobile apps, etc. One would assume an operation of this scale and magnitude would take security seriously.
The data exposure is especially important as it demonstrates, even in 2020 when commonsense password security techniques — hashing and salting, are a given, companies continue to carelessly store passwords in plaintext.
Anyone with access to this information would now trivially be able to log into one or more Premium accounts, and enjoy premium access to the service, in addition to the personal information of compromised users — potentially including their phone number and date of birth.
How did the leak happen?
As of now not much is known about the cause or whereabouts of the data leak. There’s nothing reported thus far on the news and no public comment has been made by Zee5 or its parent Essel Group, however the authenticity of data set can be confirmed by HaveIBeenPwned and myself.
How to protect yourself?
First things first, change your Zee5 password immediately, whether your email address appears on the list or not. You may refer to the paste to see if you’re impacted or better yet, head straight to HaveIBeenPwned.
Because Zee5 appears to not be aware of the incident as of writing this piece, it is likely they are continuing to store even newly set passwords in plaintext. My advice is to set a strong but disposable new password, remove any personal information from your account — and if possible, request your account to be deleted permanently.
Also change your password for any other website on which you’ve used the same email address and password combination, as for your Zee5 account.
In this day and age, when data breaches have become an ubiquitous reality and user security is paramount, it comes as a shock that companies continue to undermine the value in implementing even the easiest of security measures. In Zee5’s case at least, it’d be beyond anyone’s comprehension as to what a company this size is achieving by keeping passwords in plaintext!
