Unacademy 22 million user records have been compromised. Unacademy is an online EdTech company in India. On 3rd of May, 2020, a cyber intelligence company, Cyble Inc found that the company’s data of approximately 20 million users is on sale at $2000.
While it showed 20 million data when posted for sale, the records were found to be around 21,909,707 user records.
Table of Contents
What Data was sold?
The data of 21,909,707 user records consisted of usernames, SHA-256 hashed passwords, date joined, last login date, email addresses, first and last names, and whether the account is active, a staff member, or a superuser.
These were some of the very crucial data that can now be easily used by anyone to take over or misused.
Meanwhile, Hemesh Singh, CTO of unacademy said that “No sensitive information has been breached. We will be addressing potential security loopholes soon.”
The sold data looked like this
According to bleeping computers, they contacted few users whose data were available in this hacked file and cross-verified the authenticity of the database. It came out to be the correct data.
Cyble also confirmed that a lot of business/corporate email present in the database were also correct. These business email accounts belonged to big businesses like Google, Wipro, Infosys, Cognizant, and Facebook.
Due to this, there is potentially a new threat. If the business email users use the same credential in their personal corporate network then more data is at threat.
What Unacademy Official statement says?
In a Statement from Hemesh Singh, Co-founder, and CTO, he confirmed the data breach has happened and they are working on identifying the impact on the users and business.
“We have been closely monitoring the situation and can confirm that basic information related to around 11 million learners has been compromised. However, we would like to assure our learners that no sensitive information such as financial data, location, or passwords has been breached. We follow stringent encryption methods using the PBKDF2 algorithm with a SHA256 hash, making it highly implausible for anyone to access the learner passwords. We also follow an OTP based login system that provides an additional layer of security to our learners. We are doing a complete background check and will be addressing any potential security loophole to further our efforts of ensuring a robust security mechanism. Data security and privacy of our learners is of utmost importance to us and we will be in communication with our learners to keep them updated on the progress.”
Hemesh Singh, Co-founder and CTO, Unacademy
According to the officials, only 11 million records have been breached and no passwords were potentially cracked by hackers.
The last account created in the database is from January 26th, 2020, so it is postulated that the data consist of user info before that date.
Hackers Statement on the unacademy data breach.
According to the hacker’s statements, they have breached data more than user records. They confirmed the cyble’s researchers that they have only put users’ data on sale and their access to info is actually more than that.
Preventive steps to be taken by Users now?
Since the unacademy officials have confired the hacking hence users also needs to take some action from their end.
- Change your passwords everywhere, not just unacademy if you use the same password everywhere.
- Be more cautious towards emails that pretends to be unacademy and don’ open or click links in those emails as it may be phishing emails.
How To confirm if your record has been breached?
The cyble company which informed the data breaded has come up with a solution where you can register and verify your data hacking.
- Visit amibreached.com
Enter your email with which you registered an account on unacademy and search if your email is at threat.
To check, Me with my teammates on snehiltalks, entered our email, and shockingly found that my email is on risk under 27 different records that are being sold online. It is difficult to identify which results were for unacademy data but I found few records having names of big companies like, canva [On graphic design company, which I use], zomato [ from where I order food ], adobe, and many other familiar records.
More About Unacademy.
Unacademy was started in the year 2015 by Roman Saini who left the coveted IAS to start Unacademy to make education available for all.
Amid the COVID pandemic, edtech startup saw an increase in user base and engagement and earned more in April 2020 as compared to the rest of the months in 2019, 2018, and so on. There were a whopping 120,000 live classes taken in April & they saw 165 Mn views on their YouTube Channels.
Recently, they raised $110 Mn from General Atlantic, Facebook, Sequoia Capital & several others.
Unacademy anticipates an ARR of $300 Mn in upcoming years & is charting a plan to reach this goal.
It faces cut throat competition in India with Byju’s, Vedantu, Toppr & several others dominating their niche.
What Next?
The big question post this hacking is. Are we safe on the internet? Should we keep changing our passwords and values often over the internet?
With so much insecurity online. It is time to be more alert and have strong control over our online action.