Unacademy database hacked, 2 crore Passwords leaked and hackers selling data in 2000$

Bengaluru-based edu tech start-up Unacademy’s website hacked and data of around 2 crore users who use unacademy website got leaked. Hackers put this data on dark web for sale.

Database was hacked in january 2020 by an attacker, the attacker had access on entire database. According to Cyble Inc, the attacker begun selling the data of unacademy containing email id, username, password, date joined, last login date, first and last names, account profile and account status (whether the account is active) of more then 2 crore users for 2000$.

Hemesh Singh, Co- Founder and CTO, Unacademy in a statement said, “As per our internal investigations, email data of around 11 million users has been compromised as against 22 million stated in reports. This is on account of only around 11 million email data of users available on the Unacademy platform. We have been closely monitoring the situation and would like to assure our users that no sensitive information such as financial data or location has been breached. Data security and protection of our users is of utmost importance to us and we are doing everything possible, to ensure no personal information is compromised. We follow stringent encryption methods using the PBKDF2 algorithm with a SHA256 hash, making it highly implausible for anyone to decrypt passwords. We also follow an OTP based login system that provides an additional layer of security to our users. “

What can happen further? if you are an registered user on unacademy

1. If you are using weak password for example apple123, admin1234 etc, hackers can decrypt them.
2. Your social accounts can be hacked, if you are using weak password and password on unacademy is the same password on gmail, facebook or any other social accounts also.

What should You Do?

1. Change passwords of any other account with a similar password pattern.
2. Use two-factor authentication wherever it is possible.
3. Monitor your financial transactions records daily to detect any anomalies
4. Visit https://haveibeenpwned.com/ and enter your email id to get the list of those sites, who’s data hacked recently and made publicly available