Unacademy Data Breached, Hacker Sold Data of Nearly 2.2 Crore Users: Report

Unacademy, a popular online learning platform in India, seems to have suffered a data breach in January that has put the details of around 2.2 crore users at risk. A hacker was able to obtain the exposed database of Unacademy users and has started selling them on the dark Web for $2,000 (roughly Rs. 1,51,800), according to US-based cybersecurity firm Cyble. The database reportedly includes usernames, hashed passwords, email addresses, and first and last names of users. Unacademy has confirmed the breach in a statement, though it has said that only 11 million users were affected.

Cyble was able to discover the Unacademy database available for purchase on the dark Web on May 3, reports BleepingComputer. The exposed database is said to have a total of 2,19,09,707 user records. These records include not just the usernames and email addresses of the affected users but is also found to have SHA-256 hashed passwords, first and last names of users and the details about whether the account is active.

It is reported that the last user account created in the database is from January 26. This suggests that the hacker was able to breach Unacademy's systems sometime in January.

Corporate details exposed too
Alongside the details of regular users, Cyble confirmed that there are accounts using corporate email addresses that are a part of the exposed database. These email addresses reportedly include company names such as Cognizant, Google, Infosys, and Wipro as well as Unacademy's investor Facebook among others. One major fear is that if any of the affected users were using the same password at their workplace that they used for signing in on the learning platform, the hacker could gain access to their professional accounts as well.

In a statement to Gadgets 360, Unacademy co-founder and CTO Hemesh Singh acknowledged the data breach, though he stated that only 11 million users were affected as per internal investigations — not the nearly 22 million number reported by Cyble. "This is on account of only around 11 million email data of users available on the Unacademy platform," he said.

"We have been closely monitoring the situation and would like to assure our users that no sensitive information such as financial data or location has been breached. Data security and privacy protection of our users is of utmost importance to us and we are doing everything possible, to ensure no personal information is compromised. We follow stringent encryption methods using the PBKDF2 algorithm with a SHA256 hash, making it highly implausible for anyone to decrypt passwords. We also follow an OTP based login system that provides an additional layer of security to our users," he continued.

Singh also stated that the company is doing a complete background check and will be addressing any potential security loophole to enhance its security mechanism. "We are in communication with our users to keep them updated on the progress," he added.

However, BleepingComputer claimed that it was able to see hashed passwords amongst the records available in the exposed database. It is also reported that the hacker has data in addition to user records. It is unknown what additional data was exposed, though.

Recommendations for Unacademy users
If you're one of the users of the Unacademy platform, it is highly recommended to immediately change your password. You should also make changes to other sites if you're using the same password across all your online accounts. Furthermore, you should be careful of targeted phishing emails.

In 2020, will WhatsApp get the killer feature that every Indian is waiting for? Samsung Galaxy S20 in India? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts or RSS, download the episode, or just hit the play button below.