In July of this year, threat actors breached Indian educational technology firm Vedantu and obtained access to the private data of around 687,000 users, breach notification site Have I Been Pwned? has discovered.
According to the website, the exposed data includes “email and IP address, names, phone numbers, genders and passwords stored as bcrypt hashes.” When Have I Been Pwned? disclosed the database dump to Vedantu, people with the firm acknowledged the breach and said they were still “in the process of informing their customers.” This effectively means that threat actors may have been using the exposed data to scam victims for months now.