An Elasticsearch database pertaining to e-learning platform OneClass was found to expose data on over one million students and lecturers, vpnMentor reveals.
Headquartered in Toronto, Canada, the remote learning platform provides students in North America with study guides and educational materials. The company claims to have served over 600,000 students to date.
In May this year, vpnMentor discovered an Elasticsearch database hosted on Amazon Web Services (AWS) that was left completely unsecured, thus allowing anyone with an Internet connection to access the information stored within.
With a size of 27 GB, the database was found to include a total of 8,972,251 records representing information on more than 1 million people. Collected prior to 2019, the data included personally identifiable information (PII) and educational data.
The data stored in the database, vpnMentor says, includes not only information on the platform’s members, but also details of people whose membership was not approved.
The security researchers discovered the exposed database on May 20 and contacted the vendor on May 25. The database was secured the next day.
OneClass, the security firm explains, confirmed that it was the owner of the database, but downplayed the impact, claiming that it was a test server, and that the data stored there “had no relation to real individuals.”
“However, during our investigation, we had used publicly available information to verify a small sample of records in the database. Taking the PII data from numerous records, we found the social profiles of lecturers and other users on various platforms that matched the records in OneClass’s database,” vpnMentor says.
Records in the database included PII such as full names and phone numbers, email addresses, information on attended sch ..
Support the originator by clicking the read the rest link below.
