Students and children at risk as more than 25 million account credentials allegedly stolen from Mathway offered for sale online
“We are aware of reports of a potential data compromise,” the company said.
“We are working with cybersecurity experts to investigate further, and will take the appropriate steps to ensure the security of customer information.”
Mathway is widely used by students and children as a resource in learning maths.
The company offers services via the web as well as Android and iOS apps, with 10 million Android apps installed and a no. 4 ranking in the Education category in Apple’s App Store.
The breach has been linked to a hacking group called Shiny Hunters, which has also distributed a number of other large databases of user credentials.
The group began selling the database of more than 25 million Mathway user credentials on illicit websites in early May, offering it for $4,000 (£3,285) in cryptocurrency, according to computer security firm Cyble.
The database reportedly contains email addresses and hashed passwords.
Depending on which hashing algorithm was used, attackers could potentially render the passwords back into plain text, allowing them to use the credentials in attacks on other accounts where they may have been reused.
Shiny Hunters has recently been linked to data breaches affecting online marketplace Minted, Korean fashion platform StyleShare, Indonesian e-commerce company Bhinneka and photo-comparison app Wishbone, Cyble said.
The company’s AmIBreached service allows users to look up whether their accounts have been included in any recent data breaches.
Security researchers advise users against reusing passwords on multiple websites to avoid hacking risks.