Unacademy Confirms Data Breach; Database of 2.2 Crore Users Up for Sale on the Dark Web

One of India’s largest e-learning platforms, Unacademy, suffered a huge data breach back in January earlier this year. The company has already confirmed the breach and said that it affects over 1.1 crore users of the platform. This figure, however, is simply half of the number of user accounts that the alleged hacker has put up for sale on the dark web.

First spotted by US cybersecurity firm Cyble, Unacademy’s user database was up for sale on the dark web for $2,000 (around Rs. 1,50,000) earlier this week. The listing advertised that the database to have 2 crore records but in reality, it was found to have the data of 2,19,09,707 users. This is close to 2.2 crore learners, which is almost the entire userbase of Unacademy. The breach was first reported by BleepingComputer.

The database does contain sensitive information, including name, username, e-mail IDs, and passwords of the users. The passwords are encrypted with a SHA-256 hash, which means they are not plain text and easily viewable. Also, the database lists whether an account is currently active or not.

Cyble further reveals that the exposed database not only includes the details of regular users. Corporate e-mail addresses from bigtime tech giants such as Cognizant, Google, Infosys, Facebook, and Wipro were also leaked in the breach. This means if any of the employees at these companies were using the same login credentials for Unacademy and professional use, then their personal data could be at risk.

As mentioned earlier, Facebook-backed Unacademy has acknowledged the data breach. Co-founder and CEO Gaurav Munjal took to Twitter today to shed light on the current situation. He confirms that the users’ basic information was compromised in the hack but the location and financial data are safe and sound.

We follow stringent encryption methods using the PBKDF2 algorithm with a SHA256 hash, making it highly implausible for anyone to decrypt your passwords. I would still advice you to change your password on other platforms if you were using the same password at multiple places.

— Gaurav Munjal (@gauravmunjal) May 7, 2020

If you are a regular Unacademy user, we strongly suggest you change your password – not only on this platform but any other website where you input the same password as well – right away. The company is currently investigating the data breach and should reach out to affected users, with a request to secure their accounts, in the coming days.