Unacademy Suffered a Major Data Breach: 22 Million Records Are Sold on the Dark Web

Unacademy, a Facebook-backed, India-based online learning platform, has suffered a serious data breach, and because of this, some cybercriminals are now making money. We know this because researchers from Cyble, a cybersecurity company, recently noticed an advert on an underground marketplace selling a database that, according to the description, contains 20 million Unacademy accounts. In order to add it to their AmIBreached.com breach monitoring service, Cyble's experts acquired the database and realized that it actually contains a little under 22 million records. What was more surprising, however, was the price – just $2,000.

Securely hashed passwords bring the price down

The wide availability of stolen information means that such databases are usually pretty cheap. In this case, however, a single dollar gives you just under 11 thousand accounts, which is an astonishingly low price. There is a good reason for this, though.

Cyble shared the database with reporters from Bleeping Computer who confirmed that the passwords stored in the dump have been hashed with SHA256 – a strong hashing algorithm. Turning the hashes into plaintext passwords is going to be very difficult, and it will likely require time that the crooks will be reluctant to invest. What's more, Hemesh Singh, Unacademy's CTO, told Bleeping Computer that the platform has "an OTP based login system" that is supposed to further protect affected users.

Out of an abundance of caution, Unacademy users are still advised to change their passwords, but it's fair to say that the database currently for sale on the dark web doesn't present any immediate account takeover threat. This doesn't mean that the breach is insignificant, though.

Hackers can exploit the Unacademy data in a number of different ways

In addition to the SHA256 hashes, each and every one of the records contains the user's first and last names, username, email address, last login date, and date of account creation. In other words, hackers who have $2,000 to spare can still gain access to plenty of usable information. The exposed data can be the foundation of carefully crafted spear phishing attacks, which, given the positions some of the affected individuals hold, could have serious consequences.

According to Cyble, plenty of users exposed by the Unacademy breach had used their corporate emails during the registration. Some of them work for major tech companies like Facebook, Google, Infosys, Cognizant, and Wipro. If their social engineering skills are good enough, the hackers can potentially trick victims into sharing information that can present an opportunity for compromising the network of a major company.

Obviously, at this point, this is just a hypothesis, and on the whole, it's difficult to estimate how big the effects of the breach could be, especially given the unknowns that surround it.

There are a few question marks surrounding the Unacademy breach

According to Hemesh Singh, the breach affected "around 11 million learners," but as we mentioned already, the number of records in the database sits at almost twice that. Unfortunately, Singh didn't answer Bleeping Computer's follow-up questions about the discrepancy. He didn't comment on the hackers' claims, either.

According to Singh's statement, only "basic information" was exposed during the breach, but the alleged perpetrators told Cyble that the 22 million user records are just a part of the stolen data. They say that they've made off with Unacademy's "entire database," though it's obviously difficult to say how credible their claims are.

Unacademy has started an investigation which will hopefully confirm or deny these assertions, and we're hoping that the findings will be disclosed publicly. In the meantime, Unacademy users must be aware of the dangers associated with the incident and should act accordingly.