Online Learning Platform Unacademy Suffers a Data Breach Which Impacts 22m Users
From DDoS attacks to the current highly favored phishing attacks that ultimately result in data breaches, cyber-attacks are a rising threat to companies, governments, and individuals around the globe.
These attacks can come via applications and platforms on any connected device and may be sent to you from so-called hacktivist organizations or state-sponsored cyber-war units.
Hackers love online databases as they store massive amounts of personal information and are quick to monetize this data through the dark web for their benefit. The data we input into online systems can be very valuable to bad actors. As a private individual, sometimes there is no way to make sure that adequate security levels protect the services we use. A sad fact that over 22 million Unacademy users recently found out.
The reality that Unacademy could be the focus of such a major attack shows that any system can become susceptible to hackers if security is not given priority. With hackers being busier than ever before due to a wide variety of coronavirus scams, the most important thing online platforms can do is protect their customers' data with advanced data-centric security products.
A first step would be to use technologies like tokenization and format-preserving encrypted communications that can render PIIs, including names, IP addresses, and any personal or sensitive information, worthless to hackers and prevent massive data breaches like this.
The Unacademy Breach
The fact that these attacks are becoming increasingly common is very troubling.
As if the current online course scams weren't enough, we witnessed an actual online learning platform breach in 2020. Unacademy is one of the world's leading online learning platforms with fourteen thousand teachers, one million video lessons, and more than 20 million registered learners. The platform recently raised $110 million in funding from Facebook, General Atlantic, and Sequoia and is currently valued at more than US $500 million.
Aside from the actual attack, it was also discovered that the unidentified hackers kept 21,909,707 user records on darknet forums to be sold at around $2,000. The leaked information included usernames, hashed passwords, joining dates, last login dates, first and last names, email addresses, and other data about account profiles.
To make matters worse, most of the breached Unacademy accounts were created with corporate emails that included users from companies such as Infosys, Wipro, Google, Cognizant, and Facebook. If these corporate learners employed the same password on both their company's network and the Unacademy website, those networks are now at risk of being hacked by cybercriminals too.
How the Platform Responded
Unacademy's co-founder and CTO, Hemesh Singh, confirmed the data breach and asserted that only 11 million users had been affected and that no sensitive information such as financial data, location, or passwords had been exposed.
If you are one of Unacademy platform users, it is highly advisable to change your password immediately. If you use the same password for all of your online accounts, you should make the appropriate adjustments to other sites too.
You can also visit Am I Breached? to verify if your account has been compromised. Furthermore, it now appears to be a good time to invest in safe cloud storage solutions to back up any valuable data on connected devices. Failure to do so could mean the data is lost forever, or require a sizable investment in emergency data recovery. Beware of any targeted phishing emails that may claim to be from Unacademy demanding account information or specific verifications.
Protecting Yourself from Cyberattacks
Experts say that they've seen a sharp rise in "phishing" attacks targeting people working from home since the outbreak of the coronavirus pandemic. These attacks have come in the form of emails and even a variety of WhatsApp scams. They requesting the receiver to click on a link in an email or message that then leads to malware being installed on the connected device.
Due to the pandemic, many companies around the globe are letting their staff work remotely. Many make the shift within a matter of mere days, leading to vulnerabilities within their corporate networks. But there are several steps employees and employers can take to make the work-from-home environment safer.
Upgrade and Update all Your Connected Devices
Many companies focus on providing employees with separate work devices, but not all of them. Anyone who is now using personal laptops or mobile phones for work can be more vulnerable to cybercriminals, especially if they are used by multiple people at home or for a mix of personal and professional tasks.
The first step anyone working from home can take to protect their network from security threats, even if there are separate workstations or an older device is being used, is that the latest software updates available have been installed, so that all the applicable devices are equipped with the latest security patches.
Change Your WiFi Password Regularly
Although many may recognize how important it is to change passwords regularly for email, social media accounts, and other online services, it's much less common to do this with their domestic WiFi networks.
Updating your WiFi password may lead to some temporary inconvenience. Get ready to hear a few mumbles as everyone in the house has to reconnect all their devices, but this can ensure that you don't get hacked. And if in doubt, there's always the tried and tested go-to tech support recommendation – turn it off and back on again. You may not be aware of this, but the resetting of a WiFi router is one of the easiest ways to get rid of certain common types of malware.
Furthermore, if you have the means, it may be worth buying a new router and even a new laptop specifically for work purposes if you're going to be switching to telecommuting for the coming months.
Turn Off Your Work Laptop When You're Not Using It
Most people do not shut their devices down at the end of the working day. But it's a very simple way to keep you safer. If you want to prevent becoming a ransomware victim, shutting down and powering back up your home or laptop can prevent viruses or malware from being properly embedded in your devices. That thwarts certain types of malware that resides on the memory of the device and gets erased when it's shut down.
It's just as straightforward as temporarily closing any "open line" for new attacks – think of it as closing your gate when you leave home for work. At the end of each business day, try to do the same with your smartphone. They're the biggest risk because we put so much information on our phone.
Facial Recognition, Fingerprint Logins and Other
However, it is not just the employees who have to implement safe practices. It is also up to businesses to recognize the new risks posed by remote workers and to implement appropriate safeguards. With everyone required to work away from the office, unapproved access to a single employee's computer or laptop could mean access to the entire organization.
Many companies provide access to virtual private networks (VPNs) that conceal your connection to the internet to achieve increased encryption and confidentiality. But do not lean too heavily on VPN services if your employer does not expressly provide them.
Some of the free VPN service providers may have full access to your sensitive work data on their servers before they encrypt it, opening an even worse possible vulnerability.
Companies have to adopt more "zero trust" methods when it comes to cybersecurity, which means working with the assumption that no connected device is secure. Organizations can empower their employees with even more security measures, such as multi or two-factor authentication – employing a code from an external device in conjunction with usernames and passwords or even biometric login technologies, such as facial recognition or fingerprint scans.
Numerous homeworkers are already used to the technology. They're already using it to get into their phones, and even some of their apps – just not any work apps, and that should change this year.