A data breach broker, known as ShinyHunters, offered to sell a database consisting of 25 million Mathway user records on a marketplace in the dark web. Mathway is a free math problem-solving app that can solve a user's math problems with a snap of a picture. It has over 10 million downloads on google play store and app store.
This breach was one of the latest compared to the many other breaches carried out by the same threat actor. They were also responsible for leaking sensitive data from Tokopedia, Wishbone, Zoosk, and many other companies.
It is recommended that users reset their passwords because according to Mathway, the passwords itself weren't acquired, but rather the cryptographically protected version of it were. Even though not much personal information has been acquired from this breach, it's still something to be cautious about because if a breached account contained an email address and a password, the hacker's first instinct would be to try logging into the user's email account with the same credentials because many people have the tendency to use the same password across many different sites.
According to the interview given by ShinyHunters to ZDNet, it is confirmed that the Mathway breach took place in January 2020. The hackers have accessed the company's backend and removed access to the database to avoid detection. At the start of May, the data from Mathway has been on sale on the darkweb for around $4,000 in Bitcoin and Monero. This type of data is valuable to other cybercrime gangs because it contains email addresses and hashed passwords. But it's unclear whether the hashed passwords can be reverted to their cleartext forms because the password hashing algorithm is unknown.
A big mistake that Mathway has made is not having proper access and privilege controls. In an IT environment, an organization can prevent a sophisticated cyberattack from affecting sensitive data by controlling who has privileges to access what.
Another mistake that Mathway made is using an outdated cryptographic hash known as MD5 to protect user's passwords. Millions of these password hashes can be hacked every second. The company should've used a more secure cryptographic hash to make the computing a lot slower. A salt should also be added on top of the cryptographic hash for extra security.
According to Scott Gordon, CISSP of Pulse Secure, the education sector is prone to many vulnerabilities during this period of time because they need adjust their operations to accommodate millions of students and teachers throughout the United States because of Covid-19. Gordon weighs in on the point he makes: "The EdTech digital marketplace is being targeted for cyberattacks and should consider more progressive security controls as institutions, parents and students seek additional online options to facilitate e-learning. Popular learning apps are often fertile ground for hackers - the ShinyHunters breach of Mathway is a prime example. As the breach exposed 25 million emails and passwords, there is the likelihood that some identity theft will go beyond consumer impact and actually expose organizations."
One major lesson that can be learned from this breach is that there is no reason to rely on credentials such as passwords when there are better ways to improve security.
