May 7, 2020

Unacademy Hacked: 22 Million Users Data Leaked on Dark Web

Unacademy, India’s Largest E-learning platform, has suffered a huge data breach. Professional hackers are selling ALL users’ account information as Unacademy data dump on the Dark Web. Are you a member? Learn what you can do to secure your Unacademy account.

Unacademy Hacked: 22 Million Users Data Leaked on Dark Web

The most recent hacking news will come as a shock to students, corporate learners and members of the e-learning community. India’s leading digital education platform, Unacademy has been hacked, and allegedly 22 million user accounts are up for sale on the dark web.

Reportedly, the breach happened in January, 2020, but it was only discovered after Cyble, a cybersecurity firm from Singapore, identified the Unacademy data dump on an undisclosed Dark Web site ‘For Sale’. The ad went up on May 3rd, 2020 for USD 2000, and promised valuable delivery of 22 Million members’ sensitive account information. But if cyber-attacker’s claims are to be believed, the user database isn’t the only thing Unacademy was breached for.

unacademy hacked - data dump sale

Though a startup, Unacademy has garnered a funding of $200 million up till now, with an international reach. It boasts of preparing over 300,000 students in 6 months for distinctive entrance, competitive and professional courses. Started from a 1 member Youtube channel and now this popular e-learning application has gained over 12,000 top-level educators and 13+ million learners on board. Except for industry and subject experts, Unacedemy also takes pride in being a host to big names like,

Corporations:

  • Facebook
  • Google
  • TCS
  • Accenture
  • Reliance Industries
  • Cognizant
  • Wipro
  • Infosys
  • Banks: SBI, ICICI, Bank of Baroda, Canara Bank, PNB (Punjab National Bank)

Celebrity Guest Tutors:

  • Kiran Bedi, Indian IPS Officer
  • Sachin Tendulkar, Indian Cricketer
  • Shashi Tharoor, Indian Politician
  • Virat Kohli, Indian Cricket Captain
  • Anushka Sharma, Bollywood Actor & Producer
  • Brian Lara, Trinidadian Cricketer
  • Bret Lee, Australian Cricketer
  • And many more
Unacademy data hacked

Though there have many similar cyberattacks on e-learning platforms, this one could prove to be highly detrimental because of the sheer number of data involved. Let’s take a look at the specifics:

Unacademy Data Leak: Details About its User Database Dump

Since its public newscast, few companies have been able to get their hands on the Unacademy user database, and have revealed the file’s general details. For instance, the exact number of contacts spilled are 21,909,709, and it included their following details:

  • User ID and usernames
  • Full Name
  • Email IDs
  • Encrypted Passwords
  • User Role
  • Joining Date
  • Last Login
  • Account Status
Unacademy data dump

Unacademy Data Breach: Official Statements Released

The responsible threat actors have repeatedly insisted that they have access to the e-learning channel’s entire database; but have chosen to sell only the member files for now. If true, this could prove to be a big liability for the organization. When the Unacademy authorities were approached for a comment, they confirmed that around 11 million accounts have been compromised (and not the rumoured 22 Million, as their online database holds 11m emails records only).

They also assured their registered members that nothing sensitive “such as financial data, location or passwords” have fallen into the wrong hands. They further stressed on their data-security policies, saying

“We follow stringent encryption methods using the PBKDF2 algorithm with a SHA256 hash, making it highly implausible for anyone to access the learner passwords. We also follow an OTP based login system that provides an additional layer of security to our learners.”

The company is now fully focused on carrying out vigorous security research for any threats or loopholes in their system.

Unacademy Account Hacked? Here’s What You Can Do

Following the breach, a lot of you must be panicked on what should be the next steps for a registered member like you. Well, by now it seems sure enough that your account details have been leaked, so for initial steps:

  • CHANGE YOUR PASSWORD. Use a strong alpha-numeric key to strengthen your account security.
  • If you use the same/ similar pattern password for any other accounts, change them immediately. Hackers only need a single reference point, and if your Unacademy password is related to anything else, that account has now become vulnerable.
  • If the platform offers, always opt for multi-layer authentication. Just as an extra layer of protection.
  • Cyble, who also found the Zoom Video Conferencing Hack, has also suggested a website to check if your credentials have been hacked or not. Check it here.

Let’s hope Unacademy soon identifies and releases a fix/ update for this breach.