What is a username on Unacademy

Unacademy suffered a serious data breach: 22 million records are sold on the dark web

Unacademy, a Facebook-backed India-based online learning platform, has suffered a serious data breach and it is because of this that some cyber criminals are now making money. We know this because researchers at Cyble, a cybersecurity company, recently noticed an ad in an underground marketplace selling a database that it claims contains 20 million Unacademy accounts. To add it to their AmIBreached.com security breach monitoring service, Cyble experts purchased the database and found that it actually contains a little under 22 million records. More surprising, however, was the price - only $ 2,000.

Securely hashed passwords lower the price

The wide availability of stolen information means that such databases are usually quite cheap. In this case, however, you can get close to 11,000 accounts on a single dollar, which is an amazingly low price. There is a good reason for this, however.

Cyble shared the database with reporters from Bleeping Computer, who confirmed that the passwords stored in the dump were hashed using SHA256 - a strong hashing algorithm. It will be very difficult to convert the hashes into clear text passwords, and it will likely take time for the crooks to be reluctant to invest. In addition, Hemesh Singh, CTO of the Unacademy, told Bleeping Computer that the platform has an "OTP-based login system" that is intended to further protect the affected users.

As a precaution, Unacademy users are still advised to change their passwords. However, it is fair to say that the database currently for sale on the dark internet is not an imminent threat to account takeover. However, this does not mean that the violation is insignificant.

Hackers can use the Unacademy data in a number of ways

In addition to the SHA256 hashes, each individual record contains the user's first and last name, username, email address, last login date, and the date the user's account was created. In other words, hackers with $ 2,000 left can still access a lot of useful information. The exposed data can form the basis of carefully crafted spear phishing attacks, which, given the positions some of the data subjects occupy, can have dire consequences.

According to Cyble, many users affected by the Unacademy breach had used their corporate email during registration. Some of them work for big tech companies like Facebook, Google, Infosys, Cognizant and Wipro. If their social engineering skills are good enough, the hackers can potentially trick victims into sharing information that offers an opportunity to compromise a large company's network.

Obviously, this is just a hypothesis at this point, and overall it is difficult to estimate how great the impact of the breach could be, especially given the unknowns that surround it.

There are some question marks surrounding the violation of the Unacademy

According to Hemesh Singh, the violation "affected around 11 million learners," but as mentioned earlier, the number of records in the database is almost twice as many. Unfortunately, Singh did not answer Bleeping Computer's follow-up questions about the discrepancy. Nor did he comment on the hackers' claims.

According to Singh, only "basic information" was revealed during the breach, but the alleged perpetrators told Cyble that the 22 million user records are only part of the data stolen. They say they got away with the "entire database" of the Unacademy, although it is obviously difficult to say how credible their claims are.

The Unacademy has launched an investigation that will hopefully confirm or deny these claims, and we hope the results will be publicly announced. In the meantime, Unacademy users must be aware of the dangers associated with the incident and act accordingly.