Unacademy hacked, data of 20 million users up for sale

Breach dates back to January, hacker claims to have access to entire the database

Unacademy-logo The major data breach was exposed by US-based cyber security firm Cyble

Unacademy, one of the most popular online educational platforms in India, has suffered a major security breach that led to the exposure of data of around 20 million of its subscribers. The major data breach was exposed by US-based cyber security firm Cyble, who had discovered the security scare at Zoom. The exposed data has been available on sale in the dark web. 

According to Cyble, the data breach took place in January 2020, and the hacker is alleged to have access to the entire database of Unacademy. "However, they decided to only leak users' accounts at this point in time, further leaks are expected in the near future," Cyble said in its blog post. "Along with disclosing the data breach, Cyble has also acquired the leaked database which approximately contains 22 million (21,909,709) Unacademy’s user account details," the company added.  

These records include usernames, SHA-256 hashed passwords, date joined, last login date, email addresses, first and last names, and whether the account is active, a staff member, or a superuser.

The data scare was discovered by Cyble on May 3. It informed that the threat actor had begun to sell an Unacademy user database containing 20 million accounts for $2,000.

Unacademy boasts of 14,000 teachers, over a million video lessons, and over 20 million registered users (learners). The company’s investors include Facebook, Sequoia India, SAIF Partners and Blume Ventures.

The exposed database also has numerous accounts using corporate emails, including that of Wipro, Infosys, Cognizant, Google, and Facebook, cyber security portal BleepingComputer reported citing Cyble. "If these users utilise the same passwords on their corporate network it could allow the threat actor to gain access to these networks as well," it said. 

Confirming the data breach, Hemesh Singh, co-founder and CTO of Unacademy, however, claimed that only 11 million users were affected and that no passwords were exposed. "We would like to assure our learners that no sensitive information such as financial data, location or passwords has been breached... We are doing a complete background check and will be addressing any potential security loophole to further our efforts of ensuring a robust security mechanism. Data security and privacy of our learners is of utmost importance to us and we will be in communication with our learners to keep them updated on the progress," BleepingComputed quoted from Singh's statement. 

"We follow stringent encryption methods using the PBKDF2 algorithm with a SHA256 hash, making it highly implausible for anyone to access the learner passwords. We also follow an OTP based login system that provides an additional layer of security to our learners," Singh stated.