More than 25 million user records, belonging to popular math app Mathway, are being sold on the dark web. 

According to ZDNet, the hack is the latest in a long line of security breaches carried out by a hacker going by the name of ShinyHunters, the threat actor also responsible for intrusions at Tokopedia, Wishbone, Zoosk, and others. For the past few months, says ZDNet, the hacker has been breaching companies and putting their data on sale on a dark web marketplace and internet hacking forums. In total, it is believed that the hacker has sold access to more than 200 million user details.

In an interview with ZDNet, the hacker said he had breached Mathway in January 2020 by accessing the company's backend, dumping the database, and then removing access to avoid getting detected. But, since the start of May, the hacker has been selling the records on the dark web and on a popular hacking forum. 

The Mathway data has been up for sale for the equivalent of $4,000 in Bitcoin or Monero, reports ZDNet. According to samples reviewed by ZDNet, the data includes user emails and hashed passwords. Since the password hashing algorithm is unknown, says ZDNet, it's unclear if these passwords can be cracked and reverted back to their cleartext forms, which would make the entire data dump a lot more valuable for other cybercrime gangs.

Terence Jackson, Chief Information Security Officer at Thycotic, says, “These attacks appear to just be targeting cloud misconfigurations, and they are looking for intellectual property and credentials which they will likely leverage in credential stuffing attacks. This reinforces that consumers need to utilize password managers to generate unique passwords for each site or service they access online. Hackers thrive on leaked or stolen credentials and password reuse the gain access to more personal data. The incident can also be used to reinforce security awareness training for employees and acceptable use of the corporate email addresses.”

Arun Kothanath, Chief Security Strategist at Clango, notes, “By monitoring and controlling who can access what in an IT environment, an organization can effectively defend against even the most sophisticated cyberattacks. In Mathway’s incident, a lack of access and privilege controls seems to have played a large role in preventing them from detecting a sophisticated sensitive data breach. Cybersecurity best practices would suggest that sensitive data should always be protected by reliable access controls. Credentials can be stolen, passwords can be cracked, but identity and access management (IAM) programs driven by best practices can prevent even the most skilled hacking groups from stealing sensitive data by ensuring proactive controls in place. Mathway could have been benefited from an IAM platform that would have raised alerts and warnings based on anomalies in access patterns and privilege violations.”