One of India’s largest online learning platforms, Unacademy, had their database accessed in a breach which led to the sale of nearly 22 million user and staff members account details. Researchers from Cyble discovered the database for sale on May 3rd, 2020 for around $2,000 dollars. After verifying the legitimacy, Cyble said the database records included information such as usernames, SHA-256 hashed passwords, date joined, last login date, email addresses, first and last names, and whether the account is a staff member or a superuser. Analysis also revealed the last account that was created in the database was on January 26th, 2020, so it’s likely the breach occurred around that time. It was revealed that numerous user accounts were using corporate emails from companies such as Wipro, InfoSys, Cognizant, Google, and Facebook. This could pose a serious risk if those users reused their passwords on their corporate network. Unacademy CTO and co-founder Hemesh Singh said the breach did happen, however less data was accessed than what had been reported; he said, “We have been closely monitoring the situation and can confirm that basic information related to around 11 million learners has been compromised. However, we would like to assure our learners that no sensitive information such as financial data, location or passwords has been breached. We follow stringent encryption methods using the PBKDF2 algorithm with a SHA256 hash, making it highly implausible for anyone to access the learner passwords. We also follow an OTP based login system that provides an additional layer of security to our learners. We are doing a complete background check and will be addressing any potential security loophole to further our efforts of ensuring a robust security mechanism. Data security and privacy of our learners is of utmost importance to us and we will be in communication with our learners to keep them updated on the progress.” The threat actors responsible have revealed in conversation with Cyble that they’ve stolen more than just user data and that they had access to the whole database, but it is unknown at this time what that may include.
Unacademy users and staff are strongly encouraged to change their passwords immediately and if the password used for their Unacademy account was used anywhere else they should change that password as well. It is likely that targeted phishing campaigns made to look like they came from Unacademy may be carried out to leverage the information from the database.