Unacademy, one of the most popular online learning platform in India, has suffered a major security breach that has exposed data of around 20 millions of its subscribers at risk, cybersecurity intelligence firm Cyble claims in a blog post. The exposed data are reportedly available for sale now on the Dark Web.
According to Cyble, Unacademy was compromised in January 2020, and the hacker apparently had access to the complete database of the edtech platform. “However, they decided to only leak users’ accounts at this point in time, further leaks are expected in the near future,” Cyble said in its blog post.
“Along with disclosing the data breach, Cyble has also acquired the leaked database which approximately contains 22 million (21,909,709) Unacademy’s user account details,” the company added.
The database reportedly includes usernames, SHA-256 hashed passwords, email addresses, first and last names, login location and timings, account profile (staff member/a superuser), account status (whether the account is active or not).
On May 3, 2020, Cyble discovered that the threat actor had put up the exposed Unacademy user database containing 20 million accounts on sale on the Dark Web for $2,000.
The database also includes users from companies like Wipro, InfoSys, Cognizant, Google, and Facebook.
Bleeping Computer contacted several Unacademy users and verified that the data is genuine and contains accurate information. It also claimed that the hackers have stolen much more than just the user database.
“The threat actors have alleged to Cyble’s researchers that they have stolen the entire database, but are only putting the user records up for sale at this time,” Bleeping Computer reports.
“This holding back of other data indicates that there is more value to be had in the stolen database than just user records. It is not known what this data includes.”
Unacademy has confirmed that they suffered a data breach, but also added that no sensitive information was compromised.
“As per our internal investigations, email data of around 11 million users has been compromised as against 22 million stated in reports. This is on account of only around 11 million email data of users available on the Unacademy platform. We have been closely monitoring the situation and would like to assure our users that no sensitive information such as financial data or location has been breached,” Hemesh Singh, Co- Founder and CTO, Unacademy said in a statement.
Regarding measures taken to secure user data, Singh explained, “Data security and privacy protection of our users is of utmost importance to us and we are doing everything possible, to ensure no personal information is compromised. We follow stringent encryption methods using the PBKDF2 algorithm with a SHA256 hash, making it highly implausible for anyone to decrypt passwords. We also follow an OTP based login system that provides an additional layer of security to our users.”
The company is now conducting a complete background check and will be addressing any potential security loopholes or security threats.
“Data security and privacy of our learners is of utmost importance to us and we will be in communication with our learners to keep them updated on the progress,” Singh added.
Meanwhile, security firm Cyble has recommended registered Unacademy learners and educators to immediately change their passwords on the site. Also, those using the same password at other sites are strongly suggested to change their password to a unique one at those sites.
Cyble noted that it has acquired the database and added the user records to its data breach monitoring service amibreached.com. You can use this service to verify if your Unacademy account was leaked as part of the breach.