Unacademy, a popular online learning platform in India, seems to have suffered a data breach in January that has put the details of around 2.2 crore users at risk. A hacker was able to obtain the exposed database of Unacademy users and has started selling them on the dark Web for $2,000 (roughly Rs. 1,51,800), according to US-based cybersecurity firm Cyble. The database reportedly includes usernames, hashed passwords, email addresses, and first and last names of users. Unacademy has confirmed the breach in a statement, though it has said that only 11 million users were affected.
Cyble was able to discover the Unacademy database available for purchase on the dark Web on May 3, reports BleepingComputer. The exposed database is said to have a total of 2,19,09,707 user records. These records include not just the usernames and email addresses of the affected users but is also found to have SHA-256 hashed passwords, first and last names of users and the details about whether the account is active.
It is reported that the last user account created in the database is from January 26. This suggests that the hacker was able to breach Unacademy’s systems sometime in January.
Corporate details exposed too
In addition to the details of regular users, Cyble reportedly confirmed that there are accounts using corporate email addresses that are a part of the exposed database. These email addresses include company names such as Cognizant, Google, Infosys, and Wipro as well as Unacademy’s investor Facebook among others. One major fear is that if any of the affected users were using the same password at their workplace that they used for signing in on the learning platform, the hacker could gain access to their professional accounts as well.
In a statement to BleepingComputer, Unacademy co-founder and CTO Hemesh Singh acknowledged the data breach, though he stated that only 11 million users were affected and with no exposure of their passwords. “We follow stringent encryption methods using the PBKDF2 algorithm with a SHA256 hash, making it highly implausible for anyone to access the learner passwords. We also follow an OTP based login system that provides an additional layer of security to our learners,” he said, as quoted by the website.
However, BleepingComputer was able to see hashed passwords amongst the records available in the exposed database. It is also reported that the hacker has data in addition to user records. It is unknown what additional data was exposed, though.
Gadgets 360 has reached out to Unacademy to get clarity on the development and will update this space as and when the company responds.
Recommendations for Unacademy users
If you’re one of the users of the Unacademy platform, it is highly recommended to immediately change your password. You should also make changes to other sites if you’re using the same password across all your online accounts. Furthermore, you should be careful of targeted phishing emails.
In 2020, will WhatsApp get the killer feature that every Indian is waiting for? Samsung Galaxy S20 in India? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts or RSS, download the episode, or just hit the play button below.