A hacker has breached Mathway, a popular math solving application, from where they have stolen more than 25 million emails and passwords, ZDNet has learned.
The hack is the latest in a long line of security breaches carried out by a hacker going by the name of ShinyHunters, the threat actor also responsible for intrusions at Tokopedia, Wishbone, Zoosk, and others.
For the past few months, the hacker has been breaching companies and putting their data on sale on a dark web marketplace and internet hacking forums. In total, it is believed that the hacker has sold access to more than 200 million user details.
Mathway intrusion took place in January 2020
“The only thing I can say is that the [Mathway] hack took place in January 2020,” ShinyHunters told ZDNet in an interview on Thursday while trying to avoid revealing too many details about the intrusion.
The hacker said they accessed the company’s backend, dumped the database, and then removed access to avoid getting detected.
Since the start of May, the hacker has been selling the Mathway data on the dark web, and later also began selling it on a public and very popular hacking forum.
The Mathway data has been up for sale for the equivalent of $4,000 in Bitcoin or Monero. According to samples reviewed by ZDNet, the data includes user emails and hashed passwords. The password hashing algorithm is unknown, so it’s unclear if these passwords can be cracked and reverted back to their cleartext forms, which would make the entire data dump a lot more valuable for other cybercrime gangs.
In an email this week, Mathway said it was aware of ShinyHunter’s ad.
“We are aware of reports of a potential data compromise,” the company told us. “We are currently working with cybersecurity experts to investigate further, and will take the appropriate steps to ensure the security of customer information.”
Data allegedly leaked in full
Like all the previous databases that ShinyHunters has been selling, the Mathway data is slowly making its way from private circles into the public domain.
This week, a copy of the Mathway database began circulating more broadly, being shared on Telegram channels dedicated to “data brokers,” a category of the cybercrime underworld specialized in buying and trading hacked data.
The above screenshot was provided to ZDNet by another data broker, and we were not able to obtain a copy of the leak in full, although, there is no reason to believe the data is fake since the data broker has been a reliable source for ZDNet coverage in the past.
When reached out for a new comment earlier today, Mathway did not return an email about this latest development.
The company currently runs one of the most popular educational apps on the market, with its app being broadly used across the world since the late 2000s.
The company’s app has been extremely popular with students and children alike, providing crucial help with learning basic and advanced math problems.
Mathway is currently available as an Android and iOS app, and as a web service, with its mathway.com website ranking #2,605 in the Alexa internet traffic index, being one of the most popular websites on the internet, despite its niche feature-set and targeted audience.
Only emails and hashed passwords are included in this leak, but many of these are most likely to belong to children, something that’s not going to sit very well with some parents.