A database of nearly 22 million users of Unacademy with contacts of employees of Google, Infosys, Wipro, Cognizant and its investor Facebook is up for sale on the dark web, as per the US-based security firm Cyble. The company had suffered a breach in January following which contacts were put up for sale as recently as 3rd May for $2000, the firm said.
As per Cyble, the database includes usernames, emails addresses, passwords, first and last names, date joined, last login date, account profile and account status (whether the account is active or not).
In a statement to security news website, BleepingComputer, Unacademy confirmed that basic information related to 11 million learners had been compromised but said that no sensitive information such as financial data, passwords or location had been leaked. The firm said it is conducting further background checks and will keep users updated.
Unacademy currently raised a Series E round of funding of $110 million. Key investors in the firm include Facebook, General Atlantic and Sequoia.
The hackers are only putting up the user records up for sale at this time and may have access to more information, explained Cyble. The firm suggested that registered Unacademy educators and learners immediately change their passwords on the site.
“We have been closely monitoring the situation and would like to assure our users that no sensitive information such as financial data or location has been breached. Data security and privacy protection of our users is of utmost importance to us and we are doing everything possible, to ensure no personal information is compromised. We follow stringent encryption methods using the PBKDF2 algorithm with a SHA256 hash, making it highly implausible for anyone to decrypt passwords. We also follow an OTP based login system that provides an additional layer of security to our users," said Hemesh Singh, Co-Founder and CTO, Unacademy.
"As per our internal investigations, email data of around 11 million users has been compromised as against 22 million stated in reports. This is on account of only around 11 million email data of users available on the Unacademy platform. We are doing a complete background check and will be addressing any potential security loophole to further bolster our efforts of ensuring a far more robust security mechanism. We are in communication with our users to keep them updated on the progress,” he added.