Unacademy Breach dates back to January, hacker claims to have access to entire the database
Unacademy, one of the largest online learning platforms in India has faced a data breach and details of 22 million users of Unacademy are reportedly available for sale now. The major data breach was exposed by US-based cyber security firm Cyble
What Happened To Unacademy?
According to security firm Cyble Inc, a hacker is offering the user database, containing 21,909,707 records, for USD 2,000. Cyble Inc added that it has managed to acquire the database and added the user records to its data breach monitoring service which can be used by millions of Unacademy users to determine whether their account was hacked or not.
According to Cyble, the data breach took place in January 2020, and the hacker is alleged to have access to the entire database of Unacademy. “However, they decided to only leak users’ accounts at this point in time, further leaks are expected in the near future,” Cyble said in its blog post. “Along with disclosing the data breach, Cyble has also acquired the leaked database which approximately contains 22 million (21,909,709) Unacademy’s user account details,” the company added.
These records include usernames, SHA-256 hashed passwords, date joined, last login date, email addresses, first and last names, and whether the account is active, a staff member, or a superuser.
The data scare was discovered by Cyble on May 3. It informed that the threat actor had begun to sell an Unacademy user database containing 20 million accounts for $2,000.
Unacademy boasts of 14,000 teachers, over a million video lessons, and over 20 million registered users (learners). The company’s investors include Facebook, Sequoia India, SAIF Partners and Blume Ventures.
The exposed database also has numerous accounts using corporate emails, including that of Wipro, Infosys, Cognizant, Google, and Facebook, cyber security portal BleepingComputer reported citing Cyble. “If these users utilise the same passwords on their corporate network it could allow the threat actor to gain access to these networks as well,” it said.
Conclusion
Confirming the data breach, Hemesh Singh, co-founder and CTO of Unacademy, however, claimed that only 11 million users were affected and that no passwords were exposed. “We would like to assure our learners that no sensitive information such as financial data, location or passwords has been breached… We are doing a complete background check and will be addressing any potential security loophole to further our efforts of ensuring a robust security mechanism. Data security and privacy of our learners is of utmost importance to us and we will be in communication with our learners to keep them updated on the progress,” BleepingComputed quoted from Singh’s statement.
“We follow stringent encryption methods using the PBKDF2 algorithm with a SHA256 hash, making it highly implausible for anyone to access the learner passwords. We also follow an OTP based login system that provides an additional layer of security to our learners,” Singh stated.
0 Comments