Lady Gaga website hacked to expose users' data

Share this article:
The personal information belonging to thousands of Lady Gaga fans was stolen after hackers breached the singer's U.K. website.

A group of hackers named Swagger Security (or SwagSec) raided a database containing the names and email addresses of fans who created accounts. The hack reportedly occurred on June 27, though SwagSec did not release the stolen information until last week.

SwagSec has previously attacked sites related to entertainers Amy Winehouse and Justin Bieber.

In a tweet, the group linked to a profanity-laden message accusing the singer of being homophobic. Ironically, Lady Gaga has been a vocal supporter of the lesbian, gay, bisexual and transgender (LGBT) communities.

Universal Music Group, Lady Gaga's record label, reportedly said that no passwords or financial information was taken during the intrusion. The company said it has notified affected individuals and the police. It also said it has taken unspecified measures to ensure a similar incident does not recur.

Universal Music Group has not disclosed how hackers broke into the site or exactly how many users were affected.

Representatives from the record company did not immediately respond Monday when contacted by SCMagazineUS.com for comment.

The hackers likely accessed the site via SQL injection, Rob Rachwald, director of security strategy at Imperva, a database and application security firm, told SCMagazineUS.com on Monday.

A hacker in early May posted an entry to an underground forum revealing an SQL injection flaw on the site, Rachwald said. The hacker likely discovered the bug by using an automated tool to scan for vulnerabilities across multiple websites.

SQL injection is one of the most prevalent and widely exploited website vulnerabilities, he added.

“It is very attractive to hackers because that's how you get data,” Rachwald said. “And the good guys don't always code properly and build defenses in. The hackers are thinking about it and the good guys aren't, so we've got quite a mismatch.”

Affected users may receive an increase in spam messages as a result of the hack, he warned. Such messages may contain malicious attachments or links offering free concert tickets or exclusive content related to Lady Gaga.

“This is a great way to spread malware – claiming you have an unseen video from Lady Gaga,” Rachwald said. “When someone clicks on it, it's malware.”

Attackers may also use brute-force methods to break into the affected email accounts.

In a blog post, Graham Cluley, senior technology consultant at anti-virus firm Sophos, criticized Lady Gaga and Universal Music Group for doing a poor job of protecting users' information, failing to apologize for the blunder, and not posting a notification about the breach on the site.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Researchers observe more than a hundred connections to 'Backoff' sinkhole

Researchers with Kaspersky Lab were able to sinkhole two command-and-control servers used by certain Backoff point-of-sale malware samples.

Judge lifts stay but Microsoft won't hand over emails during appeal

A judge has lifted a suspension of a previous order compelling Microsoft to hand over customer emails stored on a server in Ireland.

Home Depot investigates possible payment card breach

Home Depot investigates possible payment card breach

Home Depot said on Tuesday that it is working with its banking partners and law enforcement to investigate a possible data breach.