Unacademy says that around 11 Mn users have been compromised
Cyble said that the breach happened in January 2020
The hacker has said that further leaks are expected in the near future
Bengaluru-based Unacademy has found itself in the middle of a massive data breach. A report by cybersecurity firm Cyble found that a threat actor was selling Unacademy user database containing 20 Mn accounts for $2,000 on the dark web.
However, the company claimed that as per its internal investigations, email data of around 11 Mn users has been compromised as against 22 Mn stated in reports. “This is on account of only around 11 Mn email data of users available on the Unacademy platform,” said Hemesh Singh, cofounder and CTO, Unacademy.
Cyble said that on May 5 it discovered that a data breach took place in January 2020 and the hacker has now started to lead user accounts. But the hacker has claimed to have access to Unacademy’s entire database.
Cyble said that it has acquired the leaked database of 21.9 Mn Unacademy’s user account details like user ID, encrypted password, email address, date joined, last login among others.
“We have seen accounts/records with domain names from Infosys, TCS, Cognizant, Reliance Industries, TCS, HDFC, Accenture, ICICI, SBI, Canara Bank, Bank of Baroda, Punjab National Bank and several other large organisations,” Cyble said in its post.
Meanwhile, Singh said that the company was closely monitoring the situation and would like to assure its users that no sensitive information such as financial data or location has been breached.
“Data security and privacy protection of our users is of utmost importance to us and we are doing everything possible, to ensure no personal information is compromised. We follow stringent encryption methods using the PBKDF2 algorithm with a SHA256 hash, making it highly implausible for anyone to decrypt passwords. We also follow an OTP based login system that provides an additional layer of security to our users,” he added.
The company said that it is doing a complete background check and will be addressing any potential security loophole to further bolster its efforts of ensuring a far more robust security mechanism. “We are in communication with our users to keep them updated on the progress,” Singh added.
In a Twitter post, Unacademy CEO Gaurav Munjal advised users to change their password on other platforms if they were using the same password at multiple places. Founded in 2010 by Gaurav Munjal, Roman Saini, and Hemesh Singh, Unacademy had begun its journey with a free YouTube tutorial to teach students, but in 2015, the company started offering free learning in lessons on every possible topic in multiple languages.
Today, the company has more than 10K registered educators and 13 Mn learners. The company claims to have 100 Mn monthly views across its various platforms such as Unacademy, Unacademy Plus, Wifistudy, Chamomile Tea with Toppers, Unacademy Studios and The Solutionists.
Unacademy has raised more than $88.6 Mn from investors such as Facebook, Steadview Capital, Sequoia India, Nexus Venture Partners and Blume Ventures among others.
Government data reveals that in 2019 alone, India witnessed 3.94 Lakh instances of cybersecurity incidents. In terms of hacking of state and central government websites, CERT-In data shows that a total of 336 websites belonging to central ministries, departments and state governments were hacked between 2017 and 2019.
The Indian government was planning to unveil an official cybersecurity strategy policy in January 2020. Without an official policy, the government has taken disparate steps to boost cybersecurity and even announced grants for startups in this space.
According to Nasscom’s Data Security Council of India (DSCI) report 2019, India witnessed the second-highest number of cyberattacks in the world between 2016 and 2018. This comes at a time when digitisation of the Indian economy is predicted to result in a $435 Bn opportunity by 2025.
Update: May 8, 2020 | 12:28 PM
In a statement to Inc42 after the story was published, Accenture said, “Accenture has no professional relationship with Unacademy, and any implication or assertion otherwise is erroneous. Accenture has suffered no data breach or loss of any records or client information as a result of this incident.”