A hacker has breached Mathway, a popular math solving application, from where they have stolen more than 25 million emails and passwords, ZDNet has learned.
The hack is the latest in a long line of security breaches carried out by a hacker going by the name of ShinyHunters, the threat actor also responsible for intrusions at Tokopedia, Wishbone, Zoosk, and others.
For the past few months, the hacker has been breaching companies and putting their data on sale on a dark web marketplace and internet hacking forums. In total, it is believed that the hacker has sold access to more than 200 million user details.
Mathway intrusion took place in January 2020
"The only thing I can say is that the [Mathway] hack took place in January 2020," ShinyHunters told ZDNet in an interview on Thursday while trying to avoid revealing too many details about the intrusion.
The hacker said they accessed the company's backend, dumped the database, and then removed access to avoid getting detected.
Since the start of May, the hacker has been selling the Mathway data on the dark web, and later also began selling it on a public and very popular hacking forum.
The Mathway data has been up for sale for the equivalent of $4,000 in Bitcoin or Monero. According to samples reviewed by ZDNet, the data includes user emails and hashed passwords. The password hashing algorithm is unknown, so it's unclear if these passwords can be cracked and reverted back to their cleartext forms, which would make the entire data dump a lot more valuable for other cybercrime gangs.
Data allegedly leaked in full
Like all the previous databases that ShinyHunters has been selling, the Mathway data is slowly making its way from private circles into the public domain.
This week, a copy of the Mathway database began circulating more broadly, being shared on Telegram channels dedicated to "data brokers," a category of the cybercrime underworld specialized in buying and trading hacked data.
The above screenshot was provided to ZDNet by another data broker, and we were not able to obtain a copy of the leak in full, although, there is no reason to believe the data is fake since the data broker has been a reliable source for ZDNet coverage in the past.
Only emails and hashed passwords are included in this leak, but many of these are most likely to belong to children, something that's not going to sit very well with some parents.
Contacted for comment, a Mathway spokesperson provided ZDNet with the following statement, admitting to the breach and promising to notify all impacted users:
At Mathway, we take our customer's trust seriously, especially when it comes to their data, and we are committed to doing what is right for our customers. We recently discovered that certain Mathway customer account data, emails and hashed and salted passwords, was acquired by an unauthorized party. Upon learning of this, we retained a leading data security firm to investigate, address any vulnerabilities and remediate the incident. We are notifying all potentially impacted customers and are requiring password resets for all accounts. We regret any inconvenience this may cause our customers.
Mathway currently runs one of the most popular educational apps on the market, with its app being broadly used across the world since the late 2000s.
The company's app has been extremely popular with students and children alike, providing crucial help with learning basic and advanced math problems.
Mathway is currently available as an Android and iOS app, and as a web service, with its mathway.com website ranking #2,605 in the Alexa internet traffic index, being one of the most popular websites on the internet, despite its niche feature-set and targeted audience.
Updated at 3:40pm ET with new statement from Mathway.
10 worst hacks and data breaches of 2019 (in pictures)