India-based online learning platform Unacademy suffered a data breach that exposed details of 22 million users, cybersecurity firm Cyble revealed. It was also found that the unknown hackers kept 21,909,707 user records for sale at $2,000 on darknet forums. The compromised information included usernames, hashed passwords, date of joining, last login date, account status, email addresses, first and last names, and other account profile details.
Founded in 2010, Unacademy offers thousands of video tutorials with around 14,000 teachers and over 20 million registered online learners.
According to BleepingComputer, most of the Unacademy accounts were created using corporate emails, with the users from companies like Wipro, Infosys, Cognizant, Google, and Facebook. In case these corporate learners used the same password on both their corporate network and Unacademy platform, it could allow hackers to compromise those networks too.
Hemesh Singh, Co-founder and CTO of Unacademy, confirmed the data breach and stated that only 11 million users were affected and no sensitive information like financial data, location or passwords were exposed.
“We have been closely monitoring the situation and can confirm that basic information related to around 11 million learners has been compromised. We follow stringent encryption methods using the PBKDF2 algorithm with a SHA256 hash, making it highly implausible for anyone to access the learner passwords. We also follow an OTP based login system that provides an additional layer of security to our learners. We are doing a complete background check and will be addressing any potential security loophole to further our efforts of ensuring a robust security mechanism,” Singh commented in a media statement.
In a similar data breach discovery, Cyble found hackers selling over 267 million Facebook records for £500 (US$623) on dark web sites and hacker forums. Cyble claimed that the records contain information that could allow attackers to perform spear phishing or SMS attacks to steal credentials.
The exposed information includes email addresses, first and last names, last connection, status, age, phone numbers, Facebook IDs, dates of birth, age, and other personal data. Facebook clarified that none of the records include passwords. However, the breached information is enough for hackers to launch phishing campaigns, and other online frauds, experts stated.