"ZEE5," the popular Indian video-on-demand platform, has had a security incident that ended up in leaking the data (email addresses, cleartext passwords, full names, DoB) of nine million of its users. The discovery of the leaked data came from independent researchers Rajshekhar Rajaharia, who confirmed that the latest entry dates to February 23, 2021.
This means the incident is recent, but there was still a full week’s time to announce it to the userbase and inform everyone of the fact - something that ZEE5 opted not to do.
On the contrary, the streaming service responded to the researcher’s tweet, accusing him of acting irresponsibly by posting the leaked details on a public platform. The firm urged Rajaharia to delete the post and share the details with them privately, implying that they are still in the dark about the specifics of this incident.
It is important to note that the researcher didn’t post the sensitive details without masking them first, so he didn’t contribute to the exposure risk but merely informed the userbase about it.
ZEE5 had a data breach back in June 2020, resulting in the stealing of 150GB of data. This went for sale on the dark web, so again ZEE5 had decided not to make the incident public and just hope that no one notices. When the incident became known, ZEE5 assured its customers that there’s nothing to worry about and that they are aggressively investing in rolling out security and user data protection technologies.
The need for this was evident, as ZEE5 had also suffered from another breach in May 2020, which resulted in the compromise of 1,023 premium accounts. Again, no warnings were distributed back then either.
In summary, ZEE5 has had three pretty catastrophic data breaches in nine months, and in all three cases, the platform did not notify its userbase about it. Either because they do not realize the incidents or choose to remain silent about them, the customers never get to learn about it until a third party publishes the story. This is extremely irresponsible and unethical - and raises the risk of having successful scam, phishing, or credential stuffing campaigns.