[BreachExchange] Unacademy Suffers a Data Breach; 22 Mn User Records for Sale on Dark Web

[Destry Winant]

https://www.cisomag.com/unacademy-data-breach/

India-based online learning platform Unacademy suffered a data breach
that exposed details of 22 million users, cybersecurity firm Cyble
revealed. It was also found that the unknown hackers kept 21,909,707
user records for sale at $2,000 on darknet forums. The compromised
information included usernames, hashed passwords, date of joining,
last login date, account status, email addresses, first and last
names, and other account profile details.

Founded in 2010, Unacademy offers thousands of video tutorials with
around 14,000 teachers and over 20 million registered online learners.

According to BleepingComputer, most of the Unacademy accounts were
created using corporate emails, with the users from companies like
Wipro, Infosys, Cognizant, Google, and Facebook. In case these
corporate learners used the same password on both their corporate
network and Unacademy platform, it could allow hackers to compromise
those networks too.

Hemesh Singh, Co-founder and CTO of Unacademy, confirmed the data
breach and stated that only 11 million users were affected and no
sensitive information like financial data, location or passwords were
exposed.

“We have been closely monitoring the situation and can confirm that
basic information related to around 11 million learners has been
compromised. We follow stringent encryption methods using the PBKDF2
algorithm with a SHA256 hash, making it highly implausible for anyone
to access the learner passwords. We also follow an OTP based login
system that provides an additional layer of security to our learners.
We are doing a complete background check and will be addressing any
potential security loophole to further our efforts of ensuring a
robust security mechanism,” Singh commented in a media statement.

In a similar data breach discovery, Cyble found hackers selling over
267 million Facebook records for £500 (US$623) on dark web sites and
hacker forums. Cyble claimed that the records contain information that
could allow attackers to perform spear phishing or SMS attacks to
steal credentials.

The exposed information includes email addresses,  first and last
names, last connection, status, age, phone numbers, Facebook IDs,
dates of birth, age, and other personal data. Facebook clarified that
none of the records include passwords. However, the breached
information is enough for hackers to launch phishing campaigns, and
other online frauds, experts stated.