Data belonging to 1 million students exposed by online study service OneClass
Data belonging to more than one million students in the United States and Canada who use the OneClass online study service has been discovered online in the latest case of cloud database misconfiguration.
The breach was revealed by security researchers at vpnMentor late last week. The 27 gigabyte database with nearly 9 million records was found on an unsecured Amazon Web Services Inc. Elasticsearch instance. The database included full names, email addresses, schools and universities attended, phone numbers, school registration details, and OneClass account details.
OneClass, founded in 2010, is funded by venture capital start which allows students to collaborate and share study resources, from self-created lecture notes to study guides. The service also offers subject matter experts who create video tutorials on common topics.
The database was initially discovered on May 20 and OneClass was contacted on May 25. The database was taken offline on May 26. OneClass says the database was only used for testing purposes and had no connection to real individuals. But vpnMentor researchers argue that’s not true, noting that they were able to match data from the exposed database to publicly available information.
The exposure, which comes as online learning has increased during the COVID-19 pandemic, poses serious security risks given that it included personally identifiable information about students using the service.
“As distance learning continues to rise due to the pandemic, so too do cyber threats,” Anurag Kahol, CTO of Cloud Access Security Broker Bitglass Inc., told SiliconANGLE. “Schools and universities should take appropriate measures to ensure the security of student data in remote environments.”
He added that although there is no evidence that the data was misused, the temporary exposure could still enable highly targeted phishing attacks that obtain sensitive information from victims.
Rene Paap, Senior Product Manager at Secure Access Solutions Provider Pulse Secure LLCnoted that there had been other breaches by education technology companies, including Chegg in late April and Mathway in May.
“Malicious actors have dramatically escalated attacks against the education sector, turning insecure databases into serious threats, especially as compromised information makes victims easier targets for phishing schemes,” did he declare. “Security controls across the edtech supply chain must adapt to an expanded attack surface as institutions expand e-learning reach options and are targeted.”