Bengaluru based edtech start-up Unacademy was targeted by a cyberattack in January 2020, resulting in exposure of over 20 million user accounts, which were later sold on Dark Web (part of the internet that is not indexed by search engines), cybersecurity intelligence firm Cyble claims in a blog post.
Unacademy has confirmed that they suffered a breach, while assuring that no sensitive information has been compromised.
“We have been closely monitoring the situation and can confirm that basic information related to around 11 million learners has been compromised. However, we would like to assure our learners that no sensitive information such as financial data, location or passwords has been breached," Hemesh Singh, Co- Founder and CTO, Unacademy told Mint.
Elaborating on measures taken to secure user data, Singh said, “We follow stringent encryption methods using the PBKDF2 algorithm with a SHA256 hash, making it highly implausible for anyone to access the learner passwords. We also follow an OTP based login system that provides an additional layer of security to our learners."
The company is doing a complete background check and will be addressing any potential security loophole.
“Data security and privacy of our learners is of utmost importance to us and we will be in communication with our learners to keep them updated on the progress," Singh added.
The attackers behind the breach claimed on Dark Web that they have the entire Unacademy database. However, they decided to only leak users account at this point in time, indicating that more leaks can be expected in future, the blog post states.
Cyble has acquired the leaked data base which contains account details of 21,909,709 Unacademy users.
Cyble was also instrumental in reporting the data breach involving teleconferencing platform Zoom. Over half a million login details of Zoom users were found by them on DarkWeb, which they later acquired to prevent them from falling into wrong hands.
Founded in 2015 by Gaurav Munjal, Roman Saini and Hemesh Singh, Unacademy is one of the leading edtech platforms in India with more than 10,000 registered Educators and 13 million learners.
Following the covid-19 outbreak, Unacademy had opened its platform to educational institutions free of cost allowing them to conduct live classes through it. The company’s investors include Facebook, Sequoia India, SAIF Partners and Blume Ventures.
With more students turning to e-learning to supplement their classroom learning, edtech platforms have emerged as a lucrative target for cybercriminals.
Another Bengaluru-based edtech startup Vedantu had suffered a data breach in September 2019, exposing names, emails, phone numbers and IP addresses of over 6.8 lakh users. The breach was reported by security researcher Troy Hunt.