Unacademy, India’s biggest e-learning portal hacked

Unacademy, the largest educational platform, was hacked. According to Cyble, a US-based security firm, a database of over 2 crore users was out. It’s been on sale on the dark web with contacts from Wipro employees, Infosys, Cognizant, Google, and their Facebook investor.

Unacademy, which is one of India’s largest online learning platforms has faced a data breach. Details of Unacademy’s 22 million users are now reportedly on sale. The database contains usernames, email addresses, passwords, joined date, last login date, first and last names, account profile, and account status.BleepingComputer has contacted some Unacademy learning app users and confirmed that the hacked data is authentic.

Assurances From Unacademy

Unacademy says that as per our internal investigations, email data from about 11 million users compromises. They assure our users that no confidential information such as financial data or location has been infringed. There users’ data protection and privacy are of the utmost importance to us. And they’re doing whatever they can make sure no confidential information is compromised.

According to Cyble, at this point the hackers would only put the user records up for sale and may have access to more information. The firm has suggested that students and educators registered with Unacademy automatically update their passwords on the web.

Hacker sells 22 million users data after the data breach

hackers first gained access to unacademy’s database. And started selling user’s information to nearly 22 million accounts. Unacademy is one of the Indias biggest e-learning platforms in India. It has around 14 K professors, above one million video tutorials, and more than 20 million registered students or users.

The last account created in the database is from January 26, 2020. This indicates that the hacker most likely to break the law on the systems of Unacademy around that time. Cyble has told BleepingComputer that the database often includes multiple accounts using client addresses.

However, hackers have also reported to the researchers at Cyble that they have not only stolen the entire database. They have also stolen some other information which is not yet clear. They announced that for now, they are only selling the user information at this point.

Hacked Unacademy device data is selling on the dark web

The reports suggest that the database for the leading learning app of about 22 million users is on sale on the dark web. They sell user information for $2000.Cyble, a cybersecurity firm headquartered in the US, detected the intrusion of the Bangalore-based learning portal and announced that the hacker got the data back in January, compromising a total of 22 million user data. The database includes usernames, hashed passwords, first and last email addresses, and user names.

Now, What the users have to do?

• If you are a registered in Unacademy, it is strongly suggested to the users to change your password at the site immediately.
• If you use the same password on other sites, then they ask to change those passwords to a unique one.
• Users should also be more cautious with Unacademy’s targeting phishing emails and using the Unacademy-saved information.

Security Challenges and way to overcome it

• Account Breaches: This is eLearning platforms face the most popular security problem. Unacademy is yet another survivor of this challenge, too. They hack thousands of passwords per second. However, we can overcome this problem only by making sure LMS is only accessible from the office networks.
• Web App Security Loopholes: Each web application has security vulnerabilities that must find and fix it before launch. The way to prevent attacks like this is to encrypt the data.
• Data Manipulation: These service providers store on the single domain the data of each platform which exposes your data to a greater threat. By having your data encrypted and taking its backup at regular intervals you can resolve this problem.
• Issues in Access Control Rules: This means that one user may have more access and a different user may have less access.

Conclusion

Cyble asked Unacademy users to change their Unacademy passwords and similar passwords used on other accounts or sites for security issues and avoid using third party corporate email addresses where possible. They also urged users affected to observe their financial accounts for anomalous transactions

In addition to testing for these security risks, it is recommended that the eLearning program acts in accordance with all relevant data protection regulations. Precaution is always better than regretting. One mistake in eLearning platforms can make you the next sensational news target for a data breach. Thus, choose a well thought of website development company with eLearning that knows the destructive power of a single security loophole. Commit to acting frankly, with honesty and with confidentiality.