A group of hackers named Swagger Security (or SwagSec) raided a database containing the names and email addresses of fans who created accounts. The hack reportedly occurred on June 27, though SwagSec did not release the stolen information until last week.
SwagSec has previously attacked sites related to entertainers Amy Winehouse and Justin Bieber.
In a tweet, the group linked to a profanity-laden message accusing the singer of being homophobic. Ironically, Lady Gaga has been a vocal supporter of the lesbian, gay, bisexual and transgender (LGBT) communities.
Universal Music Group, Lady Gaga's record label, reportedly said that no passwords or financial information was taken during the intrusion. The company said it has notified affected individuals and the police. It also said it has taken unspecified measures to ensure a similar incident does not recur.
Universal Music Group has not disclosed how hackers broke into the site or exactly how many users were affected.
Representatives from the record company did not immediately respond Monday when contacted by SCMagazineUS.com for comment.
The hackers likely accessed the site via SQL injection, Rob Rachwald, director of security strategy at Imperva, a database and application security firm, told SCMagazineUS.com on Monday.
A hacker in early May posted an entry to an underground forum revealing an SQL injection flaw on the site, Rachwald said. The hacker likely discovered the bug by using an automated tool to scan for vulnerabilities across multiple websites.
SQL injection is one of the most prevalent and widely exploited website vulnerabilities, he added.
“It is very attractive to hackers because that's how you get data,” Rachwald said. “And the good guys don't always code properly and build defenses in. The hackers are thinking about it and the good guys aren't, so we've got quite a mismatch.”
Affected users may receive an increase in spam messages as a result of the hack, he warned. Such messages may contain malicious attachments or links offering free concert tickets or exclusive content related to Lady Gaga.
“This is a great way to spread malware – claiming you have an unseen video from Lady Gaga,” Rachwald said. “When someone clicks on it, it's malware.”
Attackers may also use brute-force methods to break into the affected email accounts.
In a blog post, Graham Cluley, senior technology consultant at anti-virus firm Sophos, criticized Lady Gaga and Universal Music Group for doing a poor job of protecting users' information, failing to apologize for the blunder, and not posting a notification about the breach on the site.