A hacker has breached Mathway, a popular math solving application, from where they have stolen more than 25 million emails and passwords. The hack is the latest in a long line of security breaches carried out by a hacker going by the name of ShinyHunters, the threat actor also responsible for intrusions at Tokopedia, Wishbone, Zoosk, and others. Only emails and hashed passwords are included in this leak, but many of these are most likely to belong to children.

The education sector is particularly vulnerable during social distancing since they need to adjust operations for millions of students and faculty throughout the United States that have been impacted by COVID-19. The edtech digital marketplace is being targeted for cyberattacks and should consider more progressive security controls as institutions, parents and students seek additional online options to facilitate e-learning. Popular learning apps are often fertile ground for hackers – the ShinyHunters breach of Mathway is a prime example. As the breach exposed 25 million emails and passwords, there is the likelihood that some identity theft will go beyond consumer impact and actually expose organizations. As edtech digital suppliers rapidly expand their user base, they must improve their security posture and enhance Zero Trust access policies, such as multi-factor authentication and encrypted communications, to reduce cyber risks, adhere to data protection obligations, and ultimately ensure the safety of their users – particularly minors.
The exposure of 25 million Mathway usernames and passwords now for sale on the dark web gives fraudsters access to far more than a learning app. As consumers frequently use the same username and passwords across accounts, cybercriminals can easily use these credentials to access other user accounts including social media, banking and even insurance. Once logged in, fraudsters can change passwords to lock the legitimate user out, transfer funds and even obtain insurance benefits. Parents and students are increasingly turning to e-learning apps as students are forced to work remotely due to the pandemic, making online educational resources a desired avenue for fraud. It’s time organizations stop relying on usernames and passwords to keep user accounts secure. Biometric authentication (leveraging a person’s unique human traits to verify identity) ensures only the true user can access their account.