Skip to main content

Online learning portal Unacademy hacked, data for sale on Dark Web

(Image credit: Pixabay)

A hacker has struck Unacademy, a popular online learning platform in India and put around 2.2 crore users’ data on the dark web for sale for $2000. 

Cyble, a US-based cybersecurity firm discovered the breach of the Bangalore-based learning portal and stated that the hacker obtained the data back in January, compromising a total of 2,19,09,707 user records.

The database reportedly includes usernames, hashed passwords, email addresses, and first and last names of users. Unacademy has confirmed the breach in a statement, though it has said that only 11 million users were affected.

However, Unacademy has issued a statement confirming the breach, but maintained that only 11 million users were affected. 

While the breach of data is serious in itself, what is more alarming is the fact that many learners on the platform could have used their work email addresses to access content on the site, in turn compromising their entire workplace network.

BleepingComputer, an information security and technology news publication, reported that the accounts using corporate email addresses are also a part of the exposed database. 

These email addresses reportedly include company names such as Cognizant, Google, Infosys, and Wipro as well as Unacademy's investor Facebook among others. 

The last user account created in the database is from January 26 which suggests that the hacker was able to breach Unacademy's systems sometime in January.

In a statement to Gadgets 360, Unacademy co-founder and CTO Hemesh Singh acknowledged the data breach, though he stated that only 11 million users were affected as per internal investigations — not the nearly 22 million number reported by Cyble.

Singh has assured users that no sensitive information such as financial data or location has been breached and added that they are doing everything possible to prevent personal information from being compromised.

However, BleepingComputer claimed that it was able to see hashed passwords amongst the records available in the exposed database. There are reports that suggest the hacker is in possession of ‘additional data’ as well, apart from the one’s revealed already.

Experts recommend that existing Unacademy users should immediately change their password and also that of other frequented sites if the passwords used are the same and beware of phishing emails.