Cyber Incident Victim: MyON.com

In July 2020, MyON became aware of a threat actor attempting to sell portions of its data on the dark web, prompting an immediate investigation. The company confirmed that according to federal and state privacy laws, no confidential student or customer data was compromised, asserting the incident did not constitute a breach of private student information. MyON implemented supplemental security protections beyond its standard measures, though specific technical controls were not disclosed publicly. The company directed inquiries to its general Security Overview and Privacy Hub documentation rather than providing detailed forensic findings. By December 2020, a data breach broker advertised 13 million MyON user records for sale at $2,800 on a hacker forum alongside stolen data from 25 other companies. Analysis of leaked samples revealed exposed login names, BCrypt hashed passwords, and user names, contradicting MyON's initial characterization of minimal impact.

The breach represented one of eight previously undisclosed incidents among the 26 datasets marketed by the broker, with MyON being the only confirmed new breach after BleepingComputer's verification. While MyON maintained no private student data was exposed, the presence of authentication credentials and personal identifiers created potential credential-stuffing risks for users who reused passwords across services. The company did not disclose how attackers initially compromised their systems, the timeline between intrusion detection and public disclosure, or whether law enforcement was engaged. Unlike Chqbook's outright denial of breach claims, MyON acknowledged unauthorized data access while minimizing its regulatory significance. No evidence suggested academic records or payment information was exposed, but the incident highlighted discrepancies between corporate breach classifications and external threat actor valuations of stolen data.