Data of 2.2cr Unacademy users hacked, available at Rs. 1.5L
Unacademy, one of the biggest online learning platforms in India, has suffered a massive data breach. The company, according to a report from cyber intelligence firm Cyble Inc., was targeted by a hacker who managed to steal the data of millions of users of the platform and put it up on sale on the dark web. Here's all about it.
A few days back, the research team at Cyble discovered the Unacedemy database on a dark web marketplace. The batch, they found, carried nearly 22 million records related to the users of the platform and was being sold for just $2,000 (Rs. 1.52 lakh). This included the first and last names of Unacademy users, their email addresses, hashed passwords, joining/last login dates, and more.
Following the discovery, Cyble and BleepingComputer were able to verify the leaked data was indeed authentic. They even found that some of the users compromised in the breach were the employees of Wipro, Infosys, Cognizant, Google, and Facebook who had signed up with their official email ids. Now, this could pose a major threat to the security of their corporate network.
Following the report, Hemesh Singh, the co-founder and CTO of Unacademy, confirmed the breach but said only 11 million users were compromised. "Basic information related to 11 million learners has been compromised," Singh said while noting that "no sensitive information such as financial data, location, or passwords has been breached" and they are "doing a complete background check" to address any potential security loophole.
Despite confirming the breach, Singh did not say anything about how the threat actor[s] got access to the company's systems and when exactly the attack was carried out. Notably, the latest record in the breached database was of January 26.
As we wait for Unacademy's clarification on the matter and the discrepancies around the number of compromised users, there is a high possibility that much more data might have been stolen than currently assumed. This is because, when Cyble contacted the hacker[s] who posted the dataset, they said this user data is just a part of the information they acquired from the company's systems.
That said, if you have an account on Unacademy, better change your password for the service. Also, in case that password is used on some other service as well, make sure to change it right away.