One of the most popular online learning platform in India — Unacademy has suffered a data breach in the month of January that has put the data of about 2.2 crore users at risk as reported by the US-based cybersecurity firm Cyble.
According to the report, a hacker was able to breach in an exposed database of Unacademy users and has started selling the data on the Dark Web for $2,000 (about Rs. 1,51,800). The exposed database reportedly includes usernames, SHA-256 hashed passwords, email addresses, and the first and last names of users and that the user account is active or not.
Unacademy has confirmed the data breach in a statement but it reports that only 11 million users were affected almost half of as claimed by Cyble.
According to the BleepingComputer, Cyble was able to discover that the Unacademy database is available for sale on the Dark Web on May 3rd and the exposed database is said to have a total of 2,19,09,707 user records.
It also reports that the database includes data of users till January 26 which suggests that the hacker was able to access the Unacademy’s database sometime in January.
Cyble also reported that some of the accounts using corporate email addresses are also a part of the exposed database and these email addresses include company names such as Cognizant, Google, Infosys, and Wipro as well as Unacademy’s investor Facebook among others.
In a statement to BleepingComputer — Hemesh Singh, Unacademy co-founder and CTO acknowledged the data breach, though he stated that only 11 million users were affected and with no exposure of their passwords. “We follow stringent encryption methods using the PBKDF2 algorithm with a SHA256 hash, making it highly implausible for anyone to access the learner passwords. We also follow an OTP based login system that provides an additional layer of security to our learners,” he said, as quoted by the website.
What you should do?
If you’re a user of the Unacademy then it is highly recommended that you change your password immediately and if you are using the same password for other online accounts as well and also be more careful about targeted phishing emails.