http://www.digitaljournal.com/tech-and-science/technology/shinyhunters-hacker-mathway-data-breach-reported/article/572133

ShinyHunters hacker: Mathway data breach reported Special

Posted May 23, 2020 by Tim Sandle
ShinyHunters hackers have hit the education site Mathway, causing a data breach. As a result of the hack, more than 25 million emails and passwords have been stolen. Many of these are most likely to belong to children.
An example of online education
An example of online education
Helgi Halldórsson (CC BY-SA 2.0)
Details of the attack have been reported by ZDNet. The exposed data takes the form of email addresses and hashed passwords, based on the data that has been offered for sale to date. It is unclear if the leaked passwords can be cracked.
Mathway is an sophisticated calculator that enables users to type in mathematics questions and then to receive the answer for free through their website or via Android and iOS apps.
The hack is the latest in a long line of security breaches carried out by a hacker going by the name of ShinyHunters. Other recent attacks have targeted Tokopedia, Wishbone, and Zoosk. In each case, personal data relating to customers of the sites has ended up on the dark web.
Looking into the hack for Digital Journal, Scott Gordon, CISSP of secure access provider Pulse Secure, begins by considering the weaknesses around the scholastic industry: “The education sector is particularly vulnerable during social distancing since they need to adjust operations for millions of students and faculty throughout the United States that have been impacted by COVID-19."
Gordon also weighs in on the value of this sector: "The edtech digital marketplace is being targeted for cyberattacks and should consider more progressive security controls as institutions, parents and students seek additional online options to facilitate e-learning. Popular learning apps are often fertile ground for hackers - the ShinyHunters breach of Mathway is a prime example. As the breach exposed 25 million emails and passwords, there is the likelihood that some identity theft will go beyond consumer impact and actually expose organizations."
In terms of preventing such attacks in the future, Gordon recomends: "As edtech digital suppliers rapidly expand their user base, they must improve their security posture and enhance Zero Trust access policies, such as multi-factor authentication and encrypted communications, to reduce cyber risks, adhere to data protection obligations, and ultimately ensure the safety of their users - particularly minors.”